Tag Archives: web hosting

WordPress : Password protect wp-admin directory and wp-login.php

WordPress : Password protect wp-admin directory and wp-login.php

Protect wp-admin with passwordHardening WordPress by adding both wp-login.php AND wp-admin password protection is a great way to protect your website from hackers.But isn’t it safe enough if I use a strong password on the standard wp-admin login? Well, yes, from a brute force attempt, but single factor authentication (simple username and password) means that there’s only one layer of security between you and the bad guys. Lets suppose you had to reset your WordPress password, and got it emailed to you. How secure is your email? Were you in a public wifi hotspot when you picked up that email? It’s not just about how strong your password is.We’re going to add another layer, using the web server’s own htpasswd technology. This technique can be applied to Joomla, Drupal and many other Content Management Systems with a few minor tweaks.

Why htpasswd is better than another PHP driven single factor authentication layer

While it is not the most graceful of solutions, Apache’s (assuming your webserver runs on Apache – most still do) htpasswd basic authentication system offers two great advantage over most WordPress security plugins.

  1. The user is challenged before the request for the page is served. This means that no PHP is processed until the user authenticates. That that means that no MySQL database query is processed either. When your website is under a brute force attack, all of the requests are stopped by apache. This saves a lot of CPU cycles when your site is under attack.
  2. Authentication failures get logged to the apache error_log file (/var/log/httpd-error.log or for cPanel servers /usr/local/apache/logs/error_log). Therefore if you have a login failure tracker such as LFD (which comes with CSF from configserver.com) or BFD (which comes with APF from www.rfxn.com) then the attacker will only get a handful of bites at the cherry before they get banned by the firewall. A network level ban is far better than one engineered by the application level.

Why the wp-admin directory AND wp-login.php should be protected

Many guides only suggest you protect the wp-admin folder only, but that’s shortsighted. Why? because it won’t prevent brute force attacks reaching wp-login.php which is in the top directory of your WordPress installation, eating up your bandwidth/CPU and possibly exposing your login details. So, this guide locks down both areas.

Step 1 – Protecting wp-admin using cPanel’s Password Protect Directories feature

If you don’t have cPanel, don’t panic, just click on the guide below to creat your passwd file and protect your wp-admin directory manually:

Creating the password hash and protect wp-admin manually

In cPanel, click on the Password Protected Directories icon in the Security section.

Open Password Protected Directories

Then find the wp-admin directory. Navigate through your directories by double clicking the directory names. When you find the wp-admin folder, click on the little folder icon.

Password protect wp-admin directory

Creating the user’s password hash

The screen has two areas, so we will start at the bottom, as it makes sense to create the user before we restrict access. Just enter the username you wish to use, and the password (a nice strong on of course) and click the Add/modify authorized user button.

Creating the user's password hash

You will see a confirmation message, just accept it and you will be returned to the same screen again – your new user should now appear in the Authorized Users list at the bottom. At the top of the screen, we just just need to activate the protection. Tick the check box, and enter a nice stern warning in the Name the protected directory: box as shown and click Save.

Activate password protection for wp-admin

Step 2 – Protecting wp-login.php

Currently (11.40) cPanel doesn’t provide a graphical interface for protecting individual files, so this always has to be done manually.

In the root directory of your WordPress installation, create or open the .htaccess file. At the top of it, add the following:

Note: If you protected wp-admin manually in Step 1, then change the AuthUserFile path to the passwd file you created yourself. If you used cPanel, then the path to the file will be along the lines of:

That’s it! You have now protected both wp-admin and wp-login.php – but wait! There’s more

Step 3 – Preventing 404 Not Found and Ajax errors

Two things can go wrong when you implement this, and here’s how to fix them:

404 Too many redirects error loop

HTTP Basic Auth first sends a 401 Unauthorized with it’s request for a password from the browser. The webserver tries to serve the corresponding error file usually 401.shtml. Because it can’t find it (because who creates those anyway!) it then creates a 404 error and tries to serve the 404.shtml, which it also can’t find… which creates a 404 error and tries to serve the 404.shtml, which it also can’t find… deja vu?

The simple fix is to add this to the top level .htaccess file – immediately below the statement is safest:

If that doesn’t work, create an empty file in your website’s root folder called 401.shtml and add this to your .htaccess file:

Password protect wp-admin causes problems with plugins/themes that rely on wp-admin ajax functionality

If you experience problems with ajax enabled themes and plugins, then you can add this after the first Files block you created in .htaccess in Step 2.

 

Enthusiastic Web Host Seeks Clients that Wish for Happiness

Enthusiastic Web Host Seeks Clients that Wish for Happiness

SimplicityHosting.Com, Inc. - Simply the Best Vegan Web Hosting

SimplicityHosting.Com, Inc. – Simply the Best Web Hosting

As the title suggests SimplicityHosting.Com, Inc. is a enthusiastic web host seeking clients currently unhappy (man, it’s hard to deal with these SEO rules and make things readable, hm) with their web host and would like to have enthusiastic help to get them transferred, we do it all! We can transfer your data and get your sites working optimally.

You may think this is just another shameless plug and in ways it is, however, there are many out there who have been abused by the ho hum attitude of their current web host company. The slow response to tickets, incomplete answers, company wanted to charge for unknown services that will resolve unknown issues basically for no reason.

Then there are the web hosts that play games with their clients like holding domains and registrations (yes, they still exist) or causing trouble with transfers or backup systems. Whereas we will not help you leave our services we do not change anything in the current operation if you decide to leave. We believe the clients domains and data is owned solely by them, and not by us, as such we also encourage clients to independently backup their data as most do in their disaster recovery plans.

Inquire here, best regards!

SimplicityHosting.Com, Inc. - Simply the Best Vegan Web Hosting

SimplicityHosting.Com, Inc. – Simply the Best Web Hosting

Another Happy Vegan Web Host Transfer Story!

The prospective client was having problems at his current host and was looking for a savvy vegan web host to take over his business account.

 

SimplicityHosting.Com, Inc. - Simply the Best Vegan Web Hosting

SimplicityHosting.Com, Inc. – Simply the Best Web Hosting

 

It has certainly been a long time since I wrote anything on this blog site. We have been busy dealing with clients and infrastructure upgrades and so forth, though important, blogging must always be treated as a secondary activity, especially with my apparent lack of skill in it (I never seem to be able to get everything down that I want to, there always seems to be so much more to write about and never sure how to organize it so it is easy to read and understand or entertaining enough). Anyway here is an attempt to tell the story of a prospective client that was looking for a vegan web host to replace his current web host with which he was having technical issues.

Just recently, however, we received an email from a prospective client who has had troubles with his websites crashing his web hosts’ servers. He stated he only had about 10GB of space and a small amount of monthly hits, I wasn’t sure what to make of the situation but I knew this client definitely should not be on shared server space.  So I suggested a VM/VPS root server where he had total control and we would assist or do the migration. This server would also be equipped with WHM/cPanel for easy site, user and email management. I neglected to ask the client why, however, he was looking for a vegan web host.

There was an issue with transferring of backups and at some point the original host which had been paid for and not cancelled was having downtime on their system and/or control panel. However the client was able to get the files to us through a file transfer service it was actually WeTransfer.Com in case there are others with similar issues. Just a small tech note on WeTransfer.Com, there is a python script available that allows one to grab WeTransfer.Com files at the normal download URL directly from the server, very handy, available through GitHub here: https://github.com/superalex/py-wetransfer

Once we received the files it was 10-15 minutes before we had them restored and all the sites operable, of course there were a few tweaks we had to do on the back end to make things work (one mysql database did not transfer, one joomla site needed an adjustment to .htaccess to function again, and we needed to add an SSL cert to the server on a domain so Apple Mac Mail would function nicely, I still use Thunderbird with self-signed SSL certs which works just fine after the cert is “accepted”).  I believe our pace at resolving issues could be classified as ferocious in contrast to the current web hosting industry that I would call sleepy at best. Later, when asked, the client said he found us by doing a search on vegan web host companies. I thought “that is so cool”!

So another happy story where a client was having issues and we gained a client and was able to resolve the issues effectively.  We are certainly glad this client chose SimplicityHosting.Com, Inc. to be his web hosting partner.

SimplicityHosting.Com, Inc. - Simply the Best Vegan Web Hosting
SimplicityHosting.Com, Inc. – Simply the Best Web Hosting