Programming Archives - Webx Networks

How to Protect WordPress Admin Login

wordpress protected web hosting
WordPress hosting has becoming very popular because of its flexibility and ease of use. WordPress is as secure as your login to its admin interface (if you keep all plugins/themes and core engine to latest stable release). Since WordPress requires the admin login for management, it is available by default on public Internet for access. There are many techniques and plugins used by WordPress users to protect their websites and admin login. Some of them are

  1. Use secure password
  2. Use another username for admin instead of “admin”
  3. Use additional plugins to protect against attacks

These are all good measures, but what if your password is leaked through other means? If your own computer is hacked and you enter your correct WordPress admin username and password, then a hacker will have access to it. In this case, there is no need for any brute force attack. Your password can be very strong but if hacker has it, they can login easily.

Apache mod_rewrite Protection

Here is a simple technique that you can use to protect the admin login and restrict it to your IP addresses. Even if hacker gains access to your admin username/password, they cannot login to WordPress unless they hijack your computer as well.

All you have to do is edit .htaccess file in WordPress root folder and right above the Permalink WordPress mod_rewrite rules, add these rules:

#Restrict WP Login IPs
RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ [R=301,L]

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [F]

In the above code, replace with your own IP address. If you have multiple admin users that need access, you can repeat that line to add more IP addresses one after the other. And replace with your own website. That will redirect unauthorized users to your website home. Or you can use another web page that you want to show such users.

This file can be edited via FTP or cPanel. If you do not have a static IP address from your ISP, you can change the IP in .htaccess file when you need to work in admin interface. If your FTP or cPanel access is leaked, then you have a bigger problem to handle.

We hope this is useful for you and if you have any comments or questions, you can leave them here. Thank you.

Website Hacked – How to secure it?

hackedThis article applies to general security of websites with emphasis on Linux cPanel based shared web hosting. These are some of the best practices that can help prevent hacking. And if the website gets hacked, some steps that should be taken to properly secure it. 

1. Update Web Applications Regularly

First thing you should do is to check vendor/developer websites for all of the web scripts/applications (e.g. WordPress, Joomla, Drupal etc.) used in your account for any updates. This includes any addon modules you may be using in any web applications. If you are using any open source web application, that may be the prime suspect. However, you must check all and keep them up to date. Search on google or security related websites for any known exploits in public knowledge for any web application in your use. For example if you are using WordPress or Joomla, you must get yourself registered in their mailing lists and update to latest stable release or whenever they release a security patch. The window of opportunity for hackers should be kept minimum. We do this for a number of websites that we maintain and they have never been hacked in 17 years.

2. Audit Files in Your Account

Once you have verified that 100% of scripts/web applications are on latest stable version, you will need to go through all files of your account and make sure none is uploaded by hackers before you audited. Remove any unattended install of any applications. For example if you installed a web app to test it out and forgot to remove it.

Go through all files in your folders and check for timestamp of file changes. There may be files in folders you would never imagine. You can use ftp or cPanel File Manager to go through all files under public_html and compare them with your local copy. [You should always maintain a local copy for this comparison as well as backup] – especially check any modified files for any code injected into it.

Typical locations for hackers to install malicious scripts is images folder or web app upload folder.

3. Strong Passwords

Make sure all passwords are mix of alpha-numeric and not any dictionary word. Just because you thought of a difficult word from dictionary does not make you safe. Reset all passwords if you are hacked, including email, database, web app logins, and any control panel. Hacker may have already scanned all your files to pick e.g. database password for future attacks.

4. MySQL Security

The MySQL database access for a web application should be through separate database users. Do not use your main account user/pass for it. Your main login should never be stored in any file in your account. If you need to access MySQL remotely, make sure you allow only your static IP for access.

5. Archive Raw Logs

In your cPanel, activate archive option of your web logs in Raw Log Manager. This will give you the opportunity to check how the hacker exploited one of the scripts. Otherwise all raw logs are cleared after generating stat reports. If you have already been hacked, it is too late now but you can archive the logs for future attacks.

6. Old Web Applications

If you have customized a web application with modifications or modules, make sure it is also latest stable. Many popular web application may be stable but one of the addon mods are exploitable, which may not be maintained any more. Avoid using them. Only use well maintained code in your account.

7. Sanitize Input Data

If you have developed some code yourself, make sure all input variables are sanitised (checked for valid data before using it). Otherwise a single line of bad code can give access to your entire account. The usual mistakes are (a) to include a file based on user input (b) passing the data as it is to database or other scripts without sanitising it. Again, make sure all input to a script is checked for valid data. All exploits are based on input data. If your site does not take any input, you are 100% safe from web exploits, i.e. if you run 100% static html site with no script whatsoever anywhere in your account.

8. PHP Scripts Security

For php scripts, any application that uses register_globals to be active has more chances of being exploitable. Avoid such applications. In latest php, register_globals are no longer active so this type of exploits are going down.

9. Email Scripts Header Injection

If you have an email script for a contact form, make sure it is safe from header injection. In essence make sure that email address, subject and other part of data that is being submitted by user does not contain line breaks. If any line break comes in, the script should block such attempts. With such header injection spammers can use your account and server to send huge spam.

10. Open Source Responsibility

Using open source free web applications is great but you have to maintain it by regular updates or you can loose all your data and site if a new exploit is released. And as a hosting account owner, it is your responsibility that you maintain such applications and keep your account protected.

If your site has been running fine for years, it does not mean there were no security holes in it. It actually means that exploit was unknown or you were lucky that no one exploited it before.

Also avoid using open source software (including any plugin/theme) that is not well maintained or has been abandoned by the developer. Another indicator would be high number of critical exploits discovered for it in the past, meaning the code base is not very secure and more exploits could be discovered in future.

11. Secure Configuration Files

If you are on a shared hosting account, for added security, change the permissions of your configuration files (having database credentials in them) to “660”. You can do that via ftp, ssh or file manager. For example via ssh: chmod 660 config.php

12. Protect Administration Sections

Again for additional security if you can block access to certain administrative sections of your site do that by giving access to only authorized IP addresses and blocking access for everyone else. Or password protect it. This can be done using .htaccess file or Password Protected Folders.

13. Uploaded Files

If there is any file upload facility in your account, make sure that only authorized users can use it. It should also have some sanity check on what type of files are allowed. This is one of the easiest entry points for hackers.

Also the uploaded file should not be accessible via web URL directly. They should be stored outside of public_html unless (a) it is only uploaded by a site admin (b) checked and validated that it does not contain malicious data.

14. URL Forwarding / Webmail

If there is any URL forwarding or Webmail facility for your site membership, make sure access is restricted. It should be allowed only with proper authorization, otherwise it could be used for spamming.

15. Test / Dev Installs

If you’re exploring something by installing a test instance of a web app, or you are in the process of developing a new app, lock it behind password or IP access right away.

16. World Write Folders Not Required

Since our linux web hosting servers come with suphp, you do not need any file or folder with world write permissions. The normal folder permissions should not exceed 755. And php/html files can be 644. CGI/perl scripts can be 755.

17. Software Piracy

If you download a commercial software or a plugin of a web app from suspicious website e.g. a commercial theme or plugin for WordPress, chances of that code already infected with malicious code are very high. Never download such files, and never install them on your website. Same is the case with any client software installed on your computer.

18. Educate Web Developers/Programmers About Security

Anyone who writes web application code, should be familiar with security. Here is a book that covers the web application security particularly on php: we recommend it to all. It covers different aspects of vulnerabilities found today in web applications. Remember, one single line of bad code can give access to your entire account. Writing code is easy but writing secure code needs awareness. This is not a problem of PHP or server. It is lack of security awareness and education. It should be high priority in a web development project.

Let us know if you would like to add more to these tips by posting them in comments section below.

PHP coding standard

PHP Code

PHP Code

If you are looking for PHP coding standard, the one published by Zend Framework seems reasonable to adopt. Following a coding standard and documentation is as essential as the code itself. Haphazard code with no style creates a messy code which can be very difficult to maintain. Even if you are the only coder on a project, after a few months you’ll be stuck with your own code and avoid editing it.

Properly formatted code is easy to read and follow. It is important to remember that code is not only for computers but for humans as well. We have to maintain the code by adding new features or fixing old bugs. Even if you have little documentation, a properly formatted code will take less time for another developer to read and follow. This is where coding standards help. By following a published standard other users can follow your code easily.

Back to Top

© 2022 Webx Networks.