Removing wp- on files

Renaming the files doesn’t actually secure them. Someone can still guess the file names.

Obviously enough. It’s like passwords, isn’t it? Picking names of your pets doesn’t secure your password but if you make it hard to guess, it makes the guessing game harder, doesn’t it?

Do you ever log into your WordPress from a public computer; or from a public wireless network?

No.

Joe BadGuy simply browses to yoursite.com/wp-admin/ — bingo, he’s redirected to your login page.

Only if he knows the name of the admin directory, otherwise (same as above) he has to play the guessing game.

I assume you’re hoping to “hide” the fact that you’re running a WordPress blog.

No.

It really doesn’t gain you any real security. In reality, yes, you are less likely to be attacked if you rename your files, because most auotmated attack tools are built to work on a specific target.

You’ve just contradicted yourself in one sentence. Please read it again.

But someone could easily write a script to try to load every single possible combination of letters and numbers, hoping to stumble upon your renamed login page.

Absolutely true but here’s a well known security fact: It does deter lots of what I earlier called cracking “beginners” and for that reason alone is worth doing.

While I agree with the essence of what skippy and kafkaesqui are saying, my objective is to always make it difficult to crack. Not impossible, just difficult.

I still continue to put on my seat belt every time I get in my car, knowing full well that it won’t protect me from every possible collision. But it’s better than no belt at all.

What about you?

You have still failed to explain why the login page is such a security risk. Skippy is correct when he says that, “Joe BadGuy simply browses to yoursite.com/wp-admin/ — bingo, he’s redirected to your login page.” But, according to you, that is still a threat. Why is it a threat? If Joe BadGuy wishes to proceed past the login page, he must still enter a valid username and password. That’s what login pages were designed for.

Perhaps I didn’t explain it properly, so let me try again:

1. Any login page is obviously a security weak point, just ask the security experts.

2. If its URI is guessable by everyone, then it means that anyone can try and guess a username/password.

3. Obscuring it does have a deterring effect.

BTW: Currently WP 1.5.1.3 is even very obliging in telling you which one out of username/password you got wrong!

Skippy is not correct when he says that, “Joe BadGuy simply browses to yoursite.com/wp-admin/ — bingo, he’s redirected to your login page.” because he doesn’t know the URI for the admin page, does he? Unless I leave it as /wp-admin, of course.

Does that make more sense?

1. True, but pointless. Every web-based blog, CMS, and forum has a login page. Trying to hide it is a mute point, because it still exists. If a hacker is capable of hacking your login page, he/she is also capable of finding your login page.

2. The best defense is always a good password. If you are so concerned, just use .htaccess to password protect your admin directory. That will at least give you two layers of protection.

3. No, Skippy was correct when he said, “Joe BadGuy simply browses to yoursite.com/wp-admin/ — bingo, he’s redirected to your login page,” because any Joe BadGuy who browses to your admin directory (no matter what it’s named) will be redirected your login page.

I highly doubt that you’ll ever see some sort of easy directory re-naming feature in WP. It is simply too difficult to implement, and too much to expect out of a free/open source blogging platform. If you do, however, come up with a system that can be dynamically applied to all WordPress installations, feel free to submit the patch. “Open source” is, after all, about “community effort”. Just a warning, you’ve got a long road ahead of you. With those being the common directory and file names, they are called in several locations amongst the many WordPress files, not to mention many 3rd-party plugins as well.

Stupid question perhaps, but are you going to use any of the popular themes? All of them that I know of have a link to the admin pages, so the script kiddies will still be able to sniff it out easily enough.

Why not put in a feature request to have the login page name randomly generated on install, so it would always be unique?

Skippy was correct when he said, “Joe BadGuy simply browses to yoursite.com/wp-admin/ — bingo, he’s redirected to your login page,” because any Joe BadGuy who browses to your admin directory (no matter what it’s named) will be redirected your login page.

Wrong.

What admin directory? What is the name of the admin directory that you and skippy think “joe badbloke” can browse: wp-admin, admin, cactus, what?

And there lies my point: you don’t know the name of it, so you have to play the guessing game and the guessing game does deter the beginners.

Oh and:

Just a warning, you’ve got a long road ahead of you. With those being the common directory and file names, they are called in several locations amongst the many WordPress files, not to mention many 3rd-party plugins as well.

You don’t have to remind me, I already said that. Read my first post.

Stupid question perhaps, but are you going to use any of the popular themes? All of them that I know of have a link to the admin pages, so the script kiddies will still be able to sniff it out easily enough.

No, I don’t think all the themes do have a login link. I can’t talk specifics though. In any case, it’s easy to take that bit out. Like I suggested in my first post: this is not something newbies should be doing because of code editing, especially as you’re changing core files.

Why not put in a feature request to have the login page name randomly generated on install, so it would always be unique?

That’s a possibility but we’re not just talking about the login page, as you may have guessed. There’s also the whole “admin” directory location.

I any case, I’m not advocating that it should be done, it’s just an extra layer of security, along with (1) login failure notifications ambiguity, (2) flood protection, (3) IP range banning, (4) strong passwords, etc, etc, etc.

I think your time would be better spent coming up with a good password rather than trying to rename all of the WordPress files.

And actually, just bury the WordPress files in a folder or two if you really are paranoid (which I think you are to be frank). (You can have your WordPress files in a different directory than your blog. My blog for example has all of it’s files in /wordpress/.)

Then just don’t use relative URLs in your template or anywhere else that points to inside your WordPress directory.

Also .htaccess password protect your wp-admin.

But anyway, as I said, I think you have ‘the sky is falling’ syndrome.

There’s plenty of security people have written in length about the “Security through Obscurity” issue. One of the most enlightened chaps on the planet is Bruce Schneier, and he has this to say.

Summary: if you feel it will help, do it, but don’t confuse obscurity with security.

I always remove the wp- from the files. It’s very easy and takes a few minutes with a search and replace (on wp- not wp). Even with third party plugins this is an incredbly easy task. I’m a little amused as to why so many experienced people here have difficulty with it, I can only assume you have never done it. Of course if your definition of a ‘long road’ is 5 minutes work then I take that back ??

It is a good security precaution as many crackers/spammers use Google to select potential victims. For example:

https://www.google.com/search?hl=en&q=inurl%3Awp-admin

https://www.google.com/search?hl=en&q=inurl%3Amt-comment.cgi

I can tell you from experience that avoiding ‘default’ names such as phpBB for directories does deter a lot of attacks.

Another good reason for obscuring software footprints is that it deters automatic spamming scripts, or scripts run to find blogs. As in the case above they use ‘footprints’ to determine if you belong to a group.

Having known ‘group characteristics’ can also come back to haunt you in regard to search engines. They have been shown in the past to use footprints to penalise/demote a group which are becoming too prominant in the SERPS.

People are correct in saying this is not the be-all of security. It has to be applied in many layers but this is one precaution that helps (as you rightly say pizdin_dim!)

If you can not use a tool with search and replace (or even know what this means) then of course, this may be a little beyond you and it may be best stick with the defaults.

Kinomuto: Thank you! It’s good to see that there are others out there that are concerned sufficiently about security to recognise that it (security) has a number of aspects to it.

Viper007Bond: What if I were to say that you’re naive to think that this aspect of security is not important? Would you be offended? My “the sky is falling syndrome” is based on lots and lots of experience. Should I be offended that you think that of me?

I think your time would be better spent coming up with a good password rather than trying to rename all of the WordPress files.

You have totally mis-read my post. At no stage did I suggest that good passwords were not essential.

Ear1grey: Bruce Schneier says this in the conclusion:

“Obscuring system details is a separate decision from making your system secure regardless of “publication”.

My interpretation is that he supports what I’m saying.

Obscurity is definitely a part of security, despite some of these trendy catchphrases and weasel words that occasionally get used by most of us at least some of the time.

There’s an important distinction to be made between “securing” and “hiding”.

I do not feel I was contradictory at all. Hiding your admin section in a different name may reduce the number of automated attacks you might receive. But it does nothing to actually fix any security vulnerabilities that might be present.

Your hidden WordPress is just as likely to have unpatched vulnerabilities as my published WordPress. If an attacker does find your admin interface, they can easily modify whatever automated tools they use for your site.

How can they find your admin site? Dictionary attack your URLs. Gain access to one of the sites listed in the WP Dashboard (or get their own site added to the Dashboard, depending on how savvy they are) and look for referrals from your admin area. I’m sure there are other mechanisms. Plugin authors, for example, see the URI of your admin area when you click a plugin link from Options -> Plugins.

Hiding your admin area often gives people a false sense of security: it’s hidden, so no one will find it! They then neglect to review their sever logs, or exercise other due diligence.

You’re clearly ahead of the game, pizdin_dim. You will, I hope, forgive us for not recognizing that from your initial post.

Additional measures to actually secure your admin interface are to use HTTP basic authentication; use my secure login plugin; modify my secure login plugin to use HTTP basic auth instead of certificates, as necessary; restrict by IP address who may access your admin area; etc.

Just a note to expand on my “Uh, there just went your “security”” above: look at the source of your login page. It provides a link tag to the admin css file, as well as a hidden form field for the redirect, both of which tell me what your admin directory name is.

If someone is *truly* interested in the security of their blog, renaming files by removing wp_ from them is not the solution.

But it does nothing to actually fix any security vulnerabilities that might be present.

I absolutely agree. That should have never been in dispute.

Plugin authors, for example, see the URI of your admin area when you click a plugin link from Options -> Plugins.

Yes, that’s a very good point. Unless of course you remove “Plugin URI” and “Author URI” from each plugin you install. But then again, we should be able to trust plugin authors to not do anything evil, shouldn’t we?

Hiding your admin area often gives people a false sense of security: it’s hidden, so no one will find it!

That could not possibly be a conclusion reached by anyone except the very inexperienced computer users.

You’re clearly ahead of the game, pizdin_dim. You will, I hope, forgive us for not recognizing that from your initial post.

I’m sensing a touch of sarcasm here, skippy.

??

If I’m wrong (about the sarcasm), I apologise and there’s no apology needed from you. If I had said everything I ultimately did say in my first post, then there wouldn’t have been the misunderstanding. But then again, it would have been a bloody long post too. And there wouldn’t have been much for anybody else to say.

look at the source of your login page. It provides a link tag to the admin css file, as well as a hidden form field for the redirect, both of which tell me what your admin directory name is.

Yes that’s true. But before you can see the source, you have to find the login page first, don’t you? And the same goes the other way: you have to find the admin directory first before you can be redirected to the login page. No?