Tag Archives: security

WordPress : Password protect wp-admin directory and wp-login.php

WordPress : Password protect wp-admin directory and wp-login.php

Protect wp-admin with passwordHardening WordPress by adding both wp-login.php AND wp-admin password protection is a great way to protect your website from hackers.But isn’t it safe enough if I use a strong password on the standard wp-admin login? Well, yes, from a brute force attempt, but single factor authentication (simple username and password) means that there’s only one layer of security between you and the bad guys. Lets suppose you had to reset your WordPress password, and got it emailed to you. How secure is your email? Were you in a public wifi hotspot when you picked up that email? It’s not just about how strong your password is.We’re going to add another layer, using the web server’s own htpasswd technology. This technique can be applied to Joomla, Drupal and many other Content Management Systems with a few minor tweaks.

Why htpasswd is better than another PHP driven single factor authentication layer

While it is not the most graceful of solutions, Apache’s (assuming your webserver runs on Apache – most still do) htpasswd basic authentication system offers two great advantage over most WordPress security plugins.

  1. The user is challenged before the request for the page is served. This means that no PHP is processed until the user authenticates. That that means that no MySQL database query is processed either. When your website is under a brute force attack, all of the requests are stopped by apache. This saves a lot of CPU cycles when your site is under attack.
  2. Authentication failures get logged to the apache error_log file (/var/log/httpd-error.log or for cPanel servers /usr/local/apache/logs/error_log). Therefore if you have a login failure tracker such as LFD (which comes with CSF from configserver.com) or BFD (which comes with APF from www.rfxn.com) then the attacker will only get a handful of bites at the cherry before they get banned by the firewall. A network level ban is far better than one engineered by the application level.

Why the wp-admin directory AND wp-login.php should be protected

Many guides only suggest you protect the wp-admin folder only, but that’s shortsighted. Why? because it won’t prevent brute force attacks reaching wp-login.php which is in the top directory of your WordPress installation, eating up your bandwidth/CPU and possibly exposing your login details. So, this guide locks down both areas.

Step 1 – Protecting wp-admin using cPanel’s Password Protect Directories feature

If you don’t have cPanel, don’t panic, just click on the guide below to creat your passwd file and protect your wp-admin directory manually:

Creating the password hash and protect wp-admin manually

In cPanel, click on the Password Protected Directories icon in the Security section.

Open Password Protected Directories

Then find the wp-admin directory. Navigate through your directories by double clicking the directory names. When you find the wp-admin folder, click on the little folder icon.

Password protect wp-admin directory

Creating the user’s password hash

The screen has two areas, so we will start at the bottom, as it makes sense to create the user before we restrict access. Just enter the username you wish to use, and the password (a nice strong on of course) and click the Add/modify authorized user button.

Creating the user's password hash

You will see a confirmation message, just accept it and you will be returned to the same screen again – your new user should now appear in the Authorized Users list at the bottom. At the top of the screen, we just just need to activate the protection. Tick the check box, and enter a nice stern warning in the Name the protected directory: box as shown and click Save.

Activate password protection for wp-admin

Step 2 – Protecting wp-login.php

Currently (11.40) cPanel doesn’t provide a graphical interface for protecting individual files, so this always has to be done manually.

In the root directory of your WordPress installation, create or open the .htaccess file. At the top of it, add the following:

Note: If you protected wp-admin manually in Step 1, then change the AuthUserFile path to the passwd file you created yourself. If you used cPanel, then the path to the file will be along the lines of:

That’s it! You have now protected both wp-admin and wp-login.php – but wait! There’s more

Step 3 – Preventing 404 Not Found and Ajax errors

Two things can go wrong when you implement this, and here’s how to fix them:

404 Too many redirects error loop

HTTP Basic Auth first sends a 401 Unauthorized with it’s request for a password from the browser. The webserver tries to serve the corresponding error file usually 401.shtml. Because it can’t find it (because who creates those anyway!) it then creates a 404 error and tries to serve the 404.shtml, which it also can’t find… which creates a 404 error and tries to serve the 404.shtml, which it also can’t find… deja vu?

The simple fix is to add this to the top level .htaccess file – immediately below the statement is safest:

If that doesn’t work, create an empty file in your website’s root folder called 401.shtml and add this to your .htaccess file:

Password protect wp-admin causes problems with plugins/themes that rely on wp-admin ajax functionality

If you experience problems with ajax enabled themes and plugins, then you can add this after the first Files block you created in .htaccess in Step 2.


Sony Hacks – Need to keep a record of this stuff!

Sony Hacks – I need to keep this stored so if it mysteriously disappears online elsewhere I am able to refer to it in the future:


Sony Denies Fresh PlayStation Network Hack


Published May 18, 2011

| FoxNews.com

Visitors at the Sony Building in downtown Tokyo play Sony's PlayStation 3.


Visitors at the Sony Building in downtown Tokyo play Sony’s PlayStation 3.

Sony’s PlayStation Network password-reset page, built following a weeks-long outage after hackers breached the company’s network and compromised over 100 million online accounts, is itself temporarily offline — for security reasons, the company said.

But it’s not another hack, Sony insisted in a blog post late Wednesday.

“Contrary to some reports, there was no hack involved,” wrote Patrick Seybold, Sony’s senior director of corporate communications and social media. “In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.”

The page was built to encourage PlayStation users to reset their passwords after Sony reinstated the PlayStation Network, a system that links gamers worldwide in online play. But that password reset page is itself down following discovery of the security flaw.

Gaming website Nylevia had discovered the flaw on Tuesday, which let hackers change any account’s password simply by entering an email address and a birth date.

“Despite the methods currently employed to force a password change when you first reconnect to the PlayStation network, your accounts still remain unsafe,” Nyleveia.com wrote. “A new hack is currently doing the rounds in dark corners of the Internet that allows the attacker the ability to change your password using only your account’s e-mail and date of birth.”

The site did not provide additional details, citing security concerns.

“We for rather obvious reasons do not want to elaborate further on the exact details of the exploit, on the off chance that when the web based interface for PSN is restored the exploit has not been patched,” wrote the site, which claimed to have alerted Sony to the exploit.

Early in May, Sony denied claims that the PlayStation.com website was hacked as well, following outages at that site. The company chalked the outage up to a new security measure rather than the work of hackers as first suspected.

Sony was heavily criticized over its handling of the network intrusion. The company did not notify consumers of the breach until April 26 even though it began investigating unusual activity on the network April 19.

Sony had at the time that personal data from 24.6 million user accounts was stolen in the hacker attack last month. Personal data including credit card numbers might have been stolen from another 77 million PlayStation accounts, said Sony Computer Entertainment spokesman Satoshi Fukuoka.

He said Sony has not received any reports of illegal uses of stolen information, and the company is continuing its probe into the hacker attack. He declined to give details on the investigation.

Last month, U.S. lawyers filed a lawsuit against Sony on behalf of lead plaintiff Kristopher Johns for negligent protection of personal data and failure to inform players in a timely fashion that their credit card information may have been stolen. The lawsuit seeks class-action status.

Read more: http://www.foxnews.com/scitech/2011/05/18/network-sony-denies-second-playstation-hack/#ixzz1OLu6lrgU


New Sony Hack Claims Over a Million User Passwords

Related Tags: , , ,

Another of Sony’s websites has reportedly been hacked—this time around, the victim is SonyPictures.com. The group claiming responsibility for the breach, “LulzSec,” is the same group behind the recent PBS website hack.

A statement from the group reads, in part:

“SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks? What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.”

The group grabbed more than just passwords, too, according to another part of the statement:

“We recently broke into SonyPictures.com and compromised over 1,000,000 users’ personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 ‘music codes and 3.5 million ‘music coupons’.”

At the moment, the SonyPictures.com website appears to be running normally, but that’s not to say that the aforementioned hack didn’t happen as everything that reportedly went on would happen behind the scenes. Boing Boing is reporting that the user info and millions of music coupons have already been made available on The Pirate Bay.

Sony has yet to comment on the matter.

(via Boing Boing)

Related Tags: , , ,




Sony hack: private details of million people posted online

Hackers have attacked Sony and stolen the private details of more than a million people in the latest security breach to hit the electronics giant.

Hackers attack Sony and steal details of 1m people 

The latest hack comes just over a month after Sony’s enormous PlayStation Network was attacked. In that incident the data of about 70m customers was stolen, in what is thought to have been the largest hack in history Photo: REUTERS

Another hack at Sony; 120 passwords go online

Another breach at Sony; 120 passwords from Sony Europe website claimed by hacker


FILE – This is a Thursday, May 26, 2011 file photo of people walking by Sony Building in Tokyo’s Ginza shopping district in Tokyo. Another massive data breach at Sony has left hackers exulting, customers steaming and security experts questioning why basic fixes haven’t been made to the company’s stricken cybersecurity program. (AP Photo/Shizuo Kambayashi, File) 

Related Quotes

Symbol Price Change
SNE 26.38 -0.16
Chart for Sony Corporation Common Stock
On Saturday June 4, 2011, 2:35 pm EDT

LONDON (AP) — A hacker claims to have stolen names and passwords belonging to 120 users of Sony Europe’s website and published them to the Internet.

It’s the latest in a series of attacks which have hammered the electronics multinational. Security researchers have counted about a dozen breaches since the beginning of this year, including two particularly serious ones which exposed 100 millions users’ personal details.

The latest attack was claimed by “Idahc,” who self-identifies as a Lebanese hacker. The Associated Press has been able to verify several of the exposed names.

A U.S.-based spokeswoman for Sony Corp. has not returned an email seeking comment.

The website allegedly hacked into was down for “scheduled maintenance” Saturday.