WordPress, vBulletin, PHPBB, <insert name of your favourite PHP script with admin backend here>. All very fantastic scripts that work to make our websites even more awesome. It’s no surprise that with scripts this popular, security vulnerabilities are found from time to time. Whilst these are often not that serious, what can we do to make these even more secure?
One method we often try and implement around our own sites, and suggest to clients, is that they lock down the administration backends of their scripts via IP address. Now, this isn’t an ideal solution if you have a dynamic IP address or want to access things on the move, but it can certainly dramatically reduce the “hack” attempts on your websites, even if someone manages to obtain your password!
To explain what we mean, imagine a clean installation of wordpress. Most people know that to access the wordpress admin panel you simply add /wp-admin/ to the end of the URL, right? To add an additional layer of security, we can create a very simple .htaccess file in this wp-admin folder, denying all accesses but to a single IP address:
Deny from all # Deny access to everyone
Allow from 127.0.0.1 # Allow our IP address
ErrorDocument 403 http://www.google.com # Redirect
Simply broken down, this .htaccess file will deny everyone access to the wp-admin folder except for the IP address(es) listed in the “Allow from” lines. Anyone not in that list will be redirected to the URL From within the “ErrorDocument 403” line. As you can probably guess, even if they have a valid username and password, it won’t make any difference. If their IP address isn’t in the file, they aren’t getting in!
To use this you would naturally replace “127.0.0.1” with your IP address. Not sure what your IP address is? Find out here. Want to add multiple IP addresses? Just add multiple “Allow from” lines, one after the other.
A very quick and “dirty” tip, but one that can often be very useful for those with static IP addresses.