Category Archives: Computer Tech

WordPress : Password protect wp-admin directory and wp-login.php

WordPress : Password protect wp-admin directory and wp-login.php

Protect wp-admin with passwordHardening WordPress by adding both wp-login.php AND wp-admin password protection is a great way to protect your website from hackers.But isn’t it safe enough if I use a strong password on the standard wp-admin login? Well, yes, from a brute force attempt, but single factor authentication (simple username and password) means that there’s only one layer of security between you and the bad guys. Lets suppose you had to reset your WordPress password, and got it emailed to you. How secure is your email? Were you in a public wifi hotspot when you picked up that email? It’s not just about how strong your password is.We’re going to add another layer, using the web server’s own htpasswd technology. This technique can be applied to Joomla, Drupal and many other Content Management Systems with a few minor tweaks.

Why htpasswd is better than another PHP driven single factor authentication layer

While it is not the most graceful of solutions, Apache’s (assuming your webserver runs on Apache – most still do) htpasswd basic authentication system offers two great advantage over most WordPress security plugins.

  1. The user is challenged before the request for the page is served. This means that no PHP is processed until the user authenticates. That that means that no MySQL database query is processed either. When your website is under a brute force attack, all of the requests are stopped by apache. This saves a lot of CPU cycles when your site is under attack.
  2. Authentication failures get logged to the apache error_log file (/var/log/httpd-error.log or for cPanel servers /usr/local/apache/logs/error_log). Therefore if you have a login failure tracker such as LFD (which comes with CSF from configserver.com) or BFD (which comes with APF from www.rfxn.com) then the attacker will only get a handful of bites at the cherry before they get banned by the firewall. A network level ban is far better than one engineered by the application level.

Why the wp-admin directory AND wp-login.php should be protected

Many guides only suggest you protect the wp-admin folder only, but that’s shortsighted. Why? because it won’t prevent brute force attacks reaching wp-login.php which is in the top directory of your WordPress installation, eating up your bandwidth/CPU and possibly exposing your login details. So, this guide locks down both areas.

Step 1 – Protecting wp-admin using cPanel’s Password Protect Directories feature

If you don’t have cPanel, don’t panic, just click on the guide below to creat your passwd file and protect your wp-admin directory manually:

Creating the password hash and protect wp-admin manually

In cPanel, click on the Password Protected Directories icon in the Security section.

Open Password Protected Directories

Then find the wp-admin directory. Navigate through your directories by double clicking the directory names. When you find the wp-admin folder, click on the little folder icon.

Password protect wp-admin directory

Creating the user’s password hash

The screen has two areas, so we will start at the bottom, as it makes sense to create the user before we restrict access. Just enter the username you wish to use, and the password (a nice strong on of course) and click the Add/modify authorized user button.

Creating the user's password hash

You will see a confirmation message, just accept it and you will be returned to the same screen again – your new user should now appear in the Authorized Users list at the bottom. At the top of the screen, we just just need to activate the protection. Tick the check box, and enter a nice stern warning in the Name the protected directory: box as shown and click Save.

Activate password protection for wp-admin

Step 2 – Protecting wp-login.php

Currently (11.40) cPanel doesn’t provide a graphical interface for protecting individual files, so this always has to be done manually.

In the root directory of your WordPress installation, create or open the .htaccess file. At the top of it, add the following:

Note: If you protected wp-admin manually in Step 1, then change the AuthUserFile path to the passwd file you created yourself. If you used cPanel, then the path to the file will be along the lines of:

That’s it! You have now protected both wp-admin and wp-login.php – but wait! There’s more

Step 3 – Preventing 404 Not Found and Ajax errors

Two things can go wrong when you implement this, and here’s how to fix them:

404 Too many redirects error loop

HTTP Basic Auth first sends a 401 Unauthorized with it’s request for a password from the browser. The webserver tries to serve the corresponding error file usually 401.shtml. Because it can’t find it (because who creates those anyway!) it then creates a 404 error and tries to serve the 404.shtml, which it also can’t find… which creates a 404 error and tries to serve the 404.shtml, which it also can’t find… deja vu?

The simple fix is to add this to the top level .htaccess file – immediately below the statement is safest:

If that doesn’t work, create an empty file in your website’s root folder called 401.shtml and add this to your .htaccess file:

Password protect wp-admin causes problems with plugins/themes that rely on wp-admin ajax functionality

If you experience problems with ajax enabled themes and plugins, then you can add this after the first Files block you created in .htaccess in Step 2.

 

Form Mail Script With CAPTCHA PHP

Form Mail Script With CAPTCHA PHP

We recently became aware that there are users still using the old formmail.pl and PHP scripts to process
web forms which do not require CAPTCHA (http://en.wikipedia.org/wiki/CAPTCHA). This leaves large holes for
spam attacks and other exploitation on our servers so must be stopped completely.

One way to do this is by using a freely available PHP script called Securimage which provides CAPTCHA with
a PHP processing script which has the filled out CAPTCHA as a condition to process the form and send email.
Here is how:

First download a copy of Securimage here: www.simplicityhosting.com/supplib/securimage.tar.gz version 3.5.4
as of the time of this writing or download the latest here: https://www.phpcaptcha.org/

Extract the files into the DocumentRoot directory of your website (/home/$username/public_html on cPanel
servers, /var/www/html on others, if you do not know ask your systems administrator or web host).

Note: The processing script now depends on a mailing library for PHP called Swift Mailer, which has been installed on our servers. If you have a dedicated server or VM you will need to either have us install it or it may be found here: http://swiftmailer.org/

Then we need a processing script, we paste the following into a file names processemailform.php, or download it in archive format here (in case there are formatting issues) http://www.simplicityhosting.com/supplib/processemailform.tar.gz :

Now we need a form, this may dropped into any fully designed page ready for a form, please note the following

hidden input names:

captcha_code – The code from the CAPTCHA that proves the submitter is human
skip_Subject – Subject of the Email
skip_WhereToSend – Where to send the email, may be more than one address separated by commas
skip_SendFrom – Where the email is sent from, the from address

skip_WhereToReturn – Where to go after processing the form and sending email, usually a thank you submission
confirmation page

We use the filename contact_us.html:

There are of course more elaborate methods to accomplish this, however, this will work fine in most cases. If you need help with anything specific please contact us here: https://billing.simplicityhosting.com/submitticket.php?step=2&deptid=4

LinkBack.co – Automated Reciprocal Link Exchange Web Directory for BackLinks.

LinkBack.co – Automated Reciprocal Link Exchange Web Directory for BackLinks.

LinkBack is a unique reciprocal links directory that operates in an automated way.
This directory helps other website owners rank higher on search engines by providing a direct LinkBack to their website.
This is basically the reputation meter of a website and is one of the factors search engines use to display results on a given keyword.

The LinkBack service doesn’t require any registration and doesn’t record any personal details of the site owner.
All is needed is after adding the URL to the right category, to place the HTML code generated on one of your webpages.

The system will identify the location and will maintain your listing in the directory as long as the LinkBack will remain on your website.
Of curse at least one click on th link is required from your website, to let the system know the page 😉

The Title and Description will be scanned from your site and will be updated priodically, so when ever you have an update, it will be reflected automatically in the directory.

Please visit the directory today and add your URL.
The URL will be added within 5 minutes or less, and will give you time to see how it looks and time to place the HTML cvode on your website.
http://linkback.co

Many Thanks and happy linking J
Zeev