WEB Tip for wordpress users

Discussion in 'OT Technology' started by dazmanultra, Aug 17, 2009.

  1. dazmanultra

    dazmanultra New Member

    Joined:
    Jun 17, 2002
    Messages:
    34,795
    Likes Received:
    0
    Location:
    English Countryside
    Password protect (using .htaccess and .htpasswd, or your control panel's password function) your wp-admin folder. Rename it for good measure too.

    Ideally, you should also use SSL (https) even if it just self signed. Can do this on any other script that has an admin panel as well for an extra layer of protection. :o
     
  2. twenty

    twenty resident nerd

    Joined:
    Jan 19, 2008
    Messages:
    88
    Likes Received:
    0
    Location:
    Canada
    Truth be known.

    There was a security flaw released last week about the wp-login.php script where any user could send the administrator a password reset for the administrator's account, heh.
     
  3. Pepsi1975

    Pepsi1975 Mod of the Year

    Joined:
    Jan 6, 2005
    Messages:
    47,590
    Likes Received:
    1
    Location:
    Detroit
    some guys tried it here and it sent emails to you with the password
     
  4. Pepsi1975

    Pepsi1975 Mod of the Year

    Joined:
    Jan 6, 2005
    Messages:
    47,590
    Likes Received:
    1
    Location:
    Detroit
  5. dazmanultra

    dazmanultra New Member

    Joined:
    Jun 17, 2002
    Messages:
    34,795
    Likes Received:
    0
    Location:
    English Countryside
    Whether or not the latest exploit works, renaming and password protecting mitigates somewhat against future exploits that aren't yet known about. :o
     
  6. redna

    redna New Member

    Joined:
    Oct 24, 2001
    Messages:
    2,614
    Likes Received:
    0
    what happens when you update if you rename wp-admin?
     
  7. Insert Tokens

    Insert Tokens Making Cancer My Bitch OT Supporter

    Joined:
    Jan 12, 2006
    Messages:
    8,329
    Likes Received:
    76
    Location:
    Tasmania
    You can't just rename the wp-admin directory without doing a search-replace for the path in all the associated files.

    Also the exploit found didn't do SHIT, it just reset your password. It didn't give them access.
     

Share This Page