Our security guy showed me how to harvest editor names Wordpress. This combined with the known location of the login page makes the site susceptible to script kiddies plying their wares. A simple way to combat this is to create a redirect page somewhere and then restricting access to wp-login.php to visits coming from that page. I borrowed this idea from here. To implement this, I created my redirect page and added the following to the .htaccess
file for the site.
# protect wp-login.php Files wp-login.php (wrap in angle brackets) Order deny,allow RewriteEngine on RewriteCond %{HTTP_REFERER} !^http://www.mywebplace.com/wp-content/uploads/anoddname.html$ [NC] RewriteRule .* - [F] /Files (wrap in angle brackets)
These lines are interpreted like this:
- for all files called wp-login.php
- default to deny
- If the HTTP_Referrer is not anoddname.html
- don't rewrite the page, but return Forbidden HTTP code
I then created 'anoddfilename.html' and added a meta-redirect like this:
META HTTP-EQUIV="refresh" CONTENT="0;URL=http://www.mywebplace.com/wp-login.php"
These changes worked as expected. The site was fine, but to login you have to visit the site by hitting anoddname.html
first. There is one problem. You cannot logout form the site. That's because to logout you call wp-login.php again with ?action=logout appended to the url. Since you are on a page other then AnOddName.html
at the time, you are forbidden from getting to the wp-login.php
To fix this, I added two more lines to the .htaccess
file
RewriteCond %{QUERY_STRING} ^action=logout [NC] RewriteRule .* - [L]
With these lines added, .htaccess
now checks first to see if you are calling with "?action=logout" Query_String. If so, it does not rewrite and stops. The complete .htaccess
section is now:
# protect wp-login.php Files wp-login.php (wrap in angle brackets) Order deny,allow RewriteEngine on RewriteCond %{QUERY_STRING} ^action=logout [NC] RewriteRule .* - [L]w RewriteCond %{HTTP_REFERER} !^http://www.mywebplace.com/wp-content/uploads/tbirdsarego.html$ [NC] RewriteRule .* - [F] /Files (wrap in angle brackets)