13 February 2012

Protecting your Identity by enhancing Wordpress Security

I know many use wordpress as their primary blog platform, both for work and personal blogging needs. It becomes crucial to protect 

  • 516,000,000+ Users using wordpress
  • 8,112,782+ (3.3)
  • 29,863,395+ (3.2)  by own environments. (2012 Feb 13 )

There is no reason to believe, these are the upper limits, with experience of using the same source for more than 9 installations.

Since this many users are using wordpress and since I wanted to extend the security of my professional blog platform, portfolio sites and personal blog, I did research on extending the security like I can do with other open source Content Management Systems like Drupal,Magento,Joomla etc., 

There were many discussions online about inability to change the admin login url from the default wp-admin/ It is partially true. As you can't change the wordpress url without lot of dependency checks (May be you can but it needs more than 8+ expert level on unix/php/coding and logic so lets talk about the common souls like me. while Ideal bet is to do a regex match and replace where ever your pattern matches the expression.)

There are two plugins from the http://wordpress.org/extend/plugins/stealth-login/ 

Sabre 

Version 1.2.0
Updated 2011-1-28
Downloads 66,313

Sabre is extremely well documented, Feature rich with options to choose the complexity of captcha,math,detection of java script, invite only registration and so on but sadly the last update is on 28 Jan 2011, but It is very much compatible with WordPress 3.3.1 

Hide Login

Version 2.0
Updated 2012-1-29
Downloads 1,489

This Plugin does what its name says, Changing the login URL for the administrator and users to custom urls instead of generic wp-admin, and disabling the users from directly using the wp-admin. However ths doesn't seem to be fool proof but solves the purpose to some extent.

There are more solutions available on hardwiring your apache http://www.askapache.com/wordpress/htaccess-password-protect.html , http://blogsecurity.net/wordpress/article-210607

More interesting story for the motivation of this blog comes from the seach made to see if I can actually use WiKID a two factor authentication method (http://www.wikidsystems.com/) and result was the url pointing how we can actually achieve this.http://www.howtoforge.com/secure-your-wordpress-blog-administration-with-two-factor-authentication with few tweaks to apache.

I think I will choose not one but combination of the two factor Auth with WiKID with Hide Login,for less complex, and WiKID + Sabre for the the critical ones.

I think it was great learning, worh mention of credits to the guys contributed, for the stories, and ways to solve my problem.

Please check for the dependencies and start your journey with Wordpress Sabre,Hide Logn and WiKID.

No comments: