Easy and Effective Way to Protect Admin/Login Area of Your WordPress (or Any Website)

Unfortunately, there will always be bad people in the wild that will do bad stuffs. So, even if you consider yourself a kind person that has no enemy, it doesn’t mean that your website will not be attacked. In this article we will discuss one of the effective ways to put extra barrier between attacker and your website. And surprisingly, it is not that difficult (and fast)! It is good, right?

But first, what do you mean by “attack”-ed? Well, any attempt to get control to area that not supposed to be accessed can be consider an attacked. In WordPress platform, the simplest example is just go to http://[yourfriend’s domain name]/wp-login.php and just try to login using guess-ed username and password. And you have done a tiny scale cyber attack!

Impact On Your (Shared) Server

Imagine if someone do that password guessing using powerful computer and can make hundreds of attempt per minute to try all possible combination of password that you might use (This is called “brute force attack“). Although you might think you use long and difficult password that not easy to crack, the first casualty is your server.

With hundreds of attempt, your server produces hundreds of login screen, submit the guessed password hundreds times, process and checking the password hundreds time and reject the login hundreds of times as well. Doing it fast enough, the legitimate user probably cannot login now because the server is too busy servicing the bogus login. That’s why this kind of attack producing what named as “Denial of Service (DoS)” attack, because it make the server rendered useless. Sometimes that’s all the hacker want – to “disable” your server rather than getting your password.

Hacking Attack

Cyber Attack On Your Server

On The Smaller Scale…

While an attack on your server probably will not make it to the Morning News, but more likely you can get that “friendly” notification from your shared hosting provider that your account has been suspended due to “excessive usage” of CPU and/or RAM.

Happened to me. And it puzzled me at first because that particular server is just a test server (not full production server) and made me wondering if one of my script got terrible bug that overload the server. Until I realized that most of the activity was happening on wp-login.php. Someone try to hack my empty website ! Terrific!

Various Mitigations of Defence:

There are few methods and countermeasure to prevent this kind of attack, for example:

  1. The usual first reaction if there is any hacking attempt is: adding security measure/method. For example: using JavaScript encryption, activate secure server, installing plugin to do 2 factor authentication, add another htpasswd login, etc.
    While we can understand why people want to do this, the fact remain if the attacker is just want to cripple your website (not getting in) this is not really an effective measure against an attack. Having said that, adding security is good, but maybe not really the first line of defence.
  2. Slow down the possible attempt:
    • using measure such CAPTCHA (a human need to enter verification before login even submitted)
    • lock out period after several fail attempt

    While it helps, this is not really an effective defence.

  3. Change the URL. In the case of WordPress, rename the wp-login.php. After all, if you don’t know the address you cannot even knock the door , right?
    This is quite effective measure but create so much hassle as every now and then, a new release is coming and all reset to the original.
  4. Ban the IP address that known to have attacked before.
    This is the most ineffective way for various reason. First, this is reactive plan – you only react after the fact – not good. Also, there are millions of IP address that can be used for attack, how do you know which one that will be used?
  5. Only allowed your IP address to access the sensitive area
    This is very effective, but the problem is that you can login from practically anywhere with any IP address. Also that Internet Service Provider at home (or work) is not using static IP address. And then, I also want to login from my mobile or ipad on the road… Not really practical, right ? or is it?

Whitelisting Your IP Address Only

How about if there is a way for the server to always know what is your ip address at any time without any need to manually change anything on the server. No need to login to any additional website/program, just additional clicks in bookmark on the very browser that you will use for accessing your own admin site. Easy enough? This is how:

  1. We will whitelist a domain name instead of IP address
    Instead of putting this in your .htaccess:

    <Files wp-login.php>
    Order Deny,Allow
    Deny from All
    Allow from 123.12.23.34
    </Files>
    

    where x.x.x.x is your IP Address. Now we will use a domain name instead of IP address. By using a domain name, we change whatever IP address we use and map it to our domain name in 1 single click from your bookmark – how ? Next step….

  2. Sign up for free a dynamic DNS service called Duck DNS (http://www.duckdns.org/) – this is simple straightforward service perfect for our purpose and it is FREE.
    Use your existing Google account, Facebook, Twitter, Persona or Reddit you will be done and dusted in 2 minutes literally.
    Once logined, just choose any word that is uniue that has not been taken by other people as the “subdomain”. For example we use: “onlymelogin2016” and Duck DNS will give what so called “token”, for example: “a12b34bc-567e-8910-fg1h-2i345jk6l7m8”
    Then create a bookmark with your domain and token following this format: (name it “[YourWebsite] DuckDNS” for example)
    https://www.duckdns.org/update/[yourdomain]/[yourtoken]
    in this example, the URL become:
    https://www.duckdns.org/update/onlymelogin2016&token/a12b34bc-567e-8910-fg1h-2i345jk6l7m8
  3. Then go ahead and add below code to your .htaccess
    <Files wp-login.php>
    Order Deny,Allow
    Deny from All
    Allow from onlymelogin2016.duckdns.org
    </Files>
  4. Now, from any computer and any device, whenever you want to login to your website, just click that bookmark and your IP address will be updated to the DNS server to the current one, you dont even know what is your ip address. BUT WAIT!! That’s the idea… But there are some problem with this. First of all, the capability to know the domain name from an IP address is called “DNS Reverse Lookup” and this capability is not always turn-on by the hosting company. See , when someone visit your website, the server only see the IP address of the visitor. For knowing what domain name it belongs to, for sure an extra step need to be done (because usually it is not necessary). And..even if it is on, it will slow down the server as the process take some significant overhead (we are talking mili-seconds here, folks…)But the killer is this: even the server capable of do DNS Reverse Lookup and you dont mind the extra overhead, the server could resolve the IP Address to different name: i.e the name given by the “owner” of the IP address (who licensed them from authority) for example: “123-12-23-34.yourisp.net”. Remember an IP address can have multiple name, for example in a shared hosting plan, 1 ip address of the server can have hundreds of domain name attached to it. Now if you only have IP address, the name could be any of them and the the checking in no (3) above will not work. You can read more why direct domain whitelisting is not good here. But dont worry, we got the solution.
  5. Create a script from below code (copy and paste to your editor, save it as “updateht.php” and upload it to the root directory of your WordPress. This script will protect both wp-lohin.php and wp-admin directory.

    <?php
    function UpdateIP($filename){
     
    $domainname = "";
    $row = "";
    $returnvalue = 1;
    $tempfile = $filename.".temp";
    $tokenfound = 0;
    $tokencount = 0;
    
    copy ($filename,$filename.".orig");
    
    if ($file=fopen($filename,"r")){
     if ($output=fopen($tempfile,"w")){
     while(!feof($file) && $row = fgets($file)) {
     if( preg_match('/^\#DNSaccessDomain ([0-9A-Za-z\.\-]+)(\s*|\s.*)$/', $row, $domainname) ){
     $tokenfound = 1; 
     $dnslookupresult= gethostbyname($domainname[1]);
     print $dnslookupresult."<br/>";
     } else {
     if ($tokenfound==1) {
     $row = "allow from $dnslookupresult\n";
     $tokenfound=0;
     $tokencount++;
     }
     }
     if (!fwrite($output,$row)) $returnvalue = 0;
     }
     if (!fclose($file)) $returnvalue = 0;
     if (!fclose($output)) $returnvalue = 0;
     
     if ($tokencount==0) {
     print "entry not found<br/>";
     $returnvalue = 0;
     } 
     } else $returnvalue = 0;
    } else $returnvalue = 0;
    
    if ($returnvalue) {
     unlink($filename);
     copy ($tempfile,$filename);
     unlink($filename.".orig");
     unlink($tempfile);
    }
    return ($returnvalue);
    }
    
    // Program Start
    if (UpdateIP(".htaccess")) print "OK<br/>";
    if (UpdateIP("wp-admin/.htaccess")) print "OK<br/>";
    ?>

    More detail explanation of this updateht.php script can be read here.

  6. Now modify your .htaccess in root directory (to protect wp-login.php) as follows:

    <files wp-login.php>
    order deny,allow
    deny from all
    #DNSaccessDomain onlymelogin2016.duckdns.org
    allow from 0.0.0.0
    </files>

    And the .htaccess in wp-admin folder as follows:

    order deny,allow
    deny from all
    #DNSaccessDomain onlymelogin2016.duckdns.org
    allow from 0.0.0.0

    Remember that domain “onlymelogin2016.duckdns.org” can be changed with whatever your domain when you sign up above (see step (2)).
    What updateht.php does basically changes that 0.0.0.0 to whatever your currecn IP address defined for “onlymelogin2016.duckdns.org” (or whatever your domain is). You just need to inser that token “#DNSaccessDomain [domain]” in 1 line before every “allow from [ip address]” that you required. Of course feel free to update the script to suit your need (for example if you use “Required [ip] [ipadress] instead of this deprecated allow, deny & order)

  7. Then run that sript on your website, i.e: http://yourwebsite.com/updateht.php. You should see 2 “OK” (one for .htaccess in root, one for the one in wp-admin) – You can bookmark this as well – name it “[YourWebsite] Access” for example.

As I mentioned, not difficult, right? You can do the sign up and .htaccess update well in 15 minutes after you reading this. And now your website has advanced security that whitelist your ip address only to access the restricted area of the website.

The attacker cannot even get a login screen, your server protected before getting any additional load, and of course you can add all other security measurement to make it even more difficult to penetrate. Namely: htpasswd, 2 factor authentications, CHAP login and if you want to make it a Roll-Royce: proper https deployment (get static IP address, buy and install SSL certificate and https enforcer plugin)

So, as a recap – once you did the simple modification and upload the new php script updateht,php above what you need to do to access your super-protected server is:

  1. Run/click the bookmark “”[YourWebsite] DuckDNS” (step (2) above
  2. Run/click the bookmark “[YourWebsite] Access” (step (7) above)

Simple – no need cron-job (that continuously loading the server unnecessarily) and takes few seconds to click them (although it could be usually a delay of up to 10 minutes required between step 1 and step 2 to allow DNS entry to expire if you do successive change over)

Questions, Comment, Insult, Praise, Suggestion and spam (of course): feel free to put with comment below.

Hope this helps.

Be Sociable, Share!

 

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!





Newsletter Subscription

Get website update right into your mail box! And rest asure we respect your privacy and will never abuse your trust with your email address.
 
SIGN UP now! It's Free..