WordPress security is often very strong straight out of the box. Though many may say that open-source software is insecure, I beg to differ. Within hours of realizing a security breach in the code, WordPress and mostly @nacin had updated the code and pushed a security update. That’s hours, not days like the big corporate companies (cough Adobe).
Nevertheless, I love to make it even more secure. And I think I have done that. Introducing Lockdown WP Admin. It is a neat plugin to help you lock down WordPress’s admin interface.
It can do two things, one hide the WordPress admin interface from non logged-in users and provide built in HTTP Authentication. By hiding the WP admin interface, if you access domain.com/wp-admin/, you wouldn’t be redirected to the login page if you weren’t logged in. Instead, you would recieve a 404 File not Found error.
HTTP Authentication is a secure way to provide security to your WordPress install. You can control this in two ways. It can ask for your WordPress login credentials, or you can create your set of custom user/passwords. This way, you can have a double your chances of an unauthorized user from accessing your WordPress admin interface. Over at @teensintech, we use this when we have out authors login with their own WordPress credentials and then they must login with another set of username/passwords to be twice as secure. That may not be the best practice possible, but I think it decreases my chance of brute force attack.
You can download version 1.0.2 at http://wordpress.org/extend/plugins/lockdown-wp-admin/. I’d also love if you can support me and my other plugins by donating!
27 Responses to “Release of Lockdown WP Admin”
Leave a Reply
About Sean
Hey, I build powerful web applications and WordPress websites. I love using frameworks and creating dependable, reliable, and flexible code. Actually, I just love code. Wanna' know more? Read up on me.
I am confused by one thing: How does one login after the /wp-admin/ is hidden?
Is an alternative created? or do you have to use something like /wp-login.php ?
There should be a touch more documentation on that. Thanks!
Hey Nathan,
Ideally you should have a login area on your actual website, so when you login, you'll be able to access /wp-admin – if you have no sign in form on your website other than your /wp-admin – you'll need to access /wp-login.php
This is something the creator of the plugin forgot about – this should not be possible to access either, but for now you can use it.
Now, you can change the login area entirely. Meaning that if you went to either /wp-admin/ or /wp-login.php, you wouldn't be able to login.
You would only be able to login at a specified URL.
Hey Your pluggin is cool. Just an update. If the theme does not have 404.php and one tries to access wp-login.php then fatal error comes.
I fixed it locally. May be you can update it using twentyten as well
I installed the plugin and enabled http auth but now it won't accept my password. It is my correct admin password. Is there any way to bypass or disable the plugin?
PS I can log in to WP but I can't get to wp-admin.
I just deleted the plugin from the database.
Where in the DB do I do that? The password I created locked me out too. I should have not been lazy and just manually edited my .htaccess file. Thanks for the help in advance.
I do not understand the the usefulness of this plugin. I have installed it and followed the instruction . . . if you call 'em instructions.
After the first login I got 404 and unable to access the admin console. I had to FTP my website and ERASE the plugin to re-gain control.
Either you explain how to use it with a manual or do not publish this rubbish.
. . . my 2 cents
Hi Mario,
I'm sorry to hear that you had problems with the plugin. However, it is free open-source code. Nobody is forcing you to use it. Quite a bit of work and a chunk of my time was put into it, so saying that when I'm giving it out for free is quite hurtful.
If it doesn't work for your host, uninstall it.
Well I've given the plugin a test run and maybe I don't know much about coding but didn't you forget to also hide the wp-login.php because I was able to go that link just fine with the plugin activated. You seem to be on the right track but you may have left a door open.
It is hidden if you change the login path via the Lockdown WP Admin admin panel.
Great plugin. Seems to conflict to Duo Two-Factor Authentication, but I'll live. Great stuff!
Works great for me, so far! Thank you for this plugin! The only thing is that the 404 page when you go to /wp-admin doesn't display exactly like it does if you go to another page that doesn't exist. When you go to /wp-login the 404 page does display properly. What is causing this? How can I fix it?
I've noticed this too. The "regular" 404 Page is okay for all other non-existing file names but look for "wp-admin" and you get a broken (visually speaking, that is) 404 Error.
Not a big deal, but does appear quite jarring!
Hi Sean,
Nice work, but… when a fix for the 404.php 'fatal error' issue?
Regards.
HI,
really impressed by york work, but I think I messed in the password phase; actually I selected http security with wordpress credentials, and the login from the browser pops up, I can't login with my local usr & psswd…
I think I should erase the tables in the db, there is something setting not allowing me to reinstall the plugin… Are there plugin-related data in the db?
Thanks.
Marco
Hi
If I go to http://www.mysite.dk/wp-login.php I get a 404 page, with theme styling but no headline. If I type anything else, that will return a 404 page I get the correct 404 page.
Very nice plugin. I do have one problem though. If I am not logged in, and enable hide wp admin, and then go to: http://www.mysite.dk/wp-admin I get a kind of 404 page, but without theme styling or anything. Rather ugly actually
Does anybody else have this issue, and are there any solutions?
Best regards, and thanks
In addition to what HCE, moncalvm, and Schmeling noted, I am having problems getting that "double barrier" of security with the HTTP authentication, whether private or WP….
Never mind; things are "magically" working fine now, all on their own! Maybe my browser or server cache wasn't cleared or something, but now, I'm practically asked all the time to login in twice (just how I like it)!
Thanks for a great plugin…no need for donations?? Way too cool!!!
Change the WordPress Login URL – stoped any possibilty to login any way. There is no possibility via wp-admin (showing nice 404) and my__inserted_name seems to not exist (404 Not Found).
disable_auth.txt file did not helped.
Any chances to regain access? Any tips "How can it be done?
I found the decent Tip in code:
1. If you are ever locked out, you can just delete the plugin files via FTP (<code>/wp-content/plugins/lockdown-wp-admin/</code>) and you will be able to login again.
-worked fine
Hi Sean,
On a fresh WP 3.2 installation I have installed the plugin and while it hides WP-Admin and WP-login the WordPress Login URL does not "take" – even if I click the link on the Lockdown WordPress Admin page I get a 404 message
I have the same problem. I assume it's something I/we are doing wrong. I haven't added private users and i have left http authentication on "Disable HTTP Auth" do i need to change these settings?
wordpress 3.3.1 with bbpress plugin installed
Thanks for your work on this Sean, great plugin
Bump!
Hi,
I have some problem when i access wp-admin it gives me this error
Fatal error: Call to undefined function get_current_screen() in /home/public_html/wp-includes/admin-bar.php on line 415
Please help, what should i do? Thanks in advance
Awesome plugin – thanks so much Sean!
I am also getting the above mentioned error message "Fatal error: Call to undefined function get_current_screen()… on line 415" on the 404 not found page that results from this url: http://webweavers.catswebweave.com/wp-admin/
so I am wondering about that – is there an update planned soon? I want to show my WordPress students how to use your plugin to workaround creating an htaccess file for the wp-admin folder.
Thank you!
-Cat http://BecomeaWebWeaver.com