Securing WordPress Admin

In today's online world security is a top concern. For WordPress maintainers keeping your installation, themes, and plugins updated is an essential first step but there are many other things that should be taken into concern. Today I am curious to get your feedback specifically on locking down the admin section of your WordPress site and after collecting those results I will throw together a post with some links to some really great material on locking things down in a more generalized fashion.

Now as far as the admin section goes, I use a server-side technique that requires both a password an me being at a specific IP address to access the wp-admin section. That may be too strict for most, particularly those on mobile so here is a little snippet that will force Apache to require a user name and password (all of which are stored server-side) before even displaying the page.

*** Update: A great discussion resulted on Facebook as a result of sharing this post and I learned something extremely useful. There is a Google Authenticator WordPress Plugin which enables two-factor authentication via the Google Authenticator app/service. I already use this technology for a variety of other sites/services so naturally it was a no brainer to use it for WordPress.

Here is some important information to keep in mind when using this plugin from Justin Dessonville:

"The key is to make sure you have your wordpress general settings timezone set to whatever time zone your phone is in. I'm not sure how this would work if you travel across time zones a lot, but it could potentially lock you out if it's not setup right. Regardless, when both your phone & wordpress instance are set to the same time zone it's been solid for me."

To re-cap: after the update, I am still using Apache/htpasswd to protect the /wp-admin part of the site, but I have removed the IP checking in favor of the 2-factor authentication. I feel just as secure (if not more) and I don't have to worry about tunneling in via VPN to satisfy the IP check.

The World In Links [August, 2012] -- HTML5, Markdown, Node.js

The World In Links by Nicholas Kreidberg Apache - An introduction to the web server.
CodeIgniter - Advanced techniques and tricks.
Development - The principles of agile.
HTML5 - Best practices.
JavaScript - The key principles of maintainable JS.
Markdown - The ins and outs.
Node.js - Create a resumable video upload tool.
Node.js - Screen scraping.
PayPal - Processing payments w/ PHP.
Photography - The awe inspiring fury of Mother Nature.
PHP - Test-Driven Development, first steps.
Responsive Design - A case study.
System Admin - Using nmon to monitor system performance.

Virtual Hosts w/ MAMP

I recently had a need to add some virtual hosts to my local MAMP setup and while it was fairly straight forward I figured I would share some quick tips. For the purposes of this post I am assuming you are using the default MAMP settings including running Apache on port 8888. In this example I am building a new CodeIgniter installation and setting the document root to /Develop/CI.

First off let's go ahead and add an entry to our /etc/hosts file so that we can access the virtual host.

127.0.0.1 ci.here

The line above in the /etc/hosts file will allow you access your CodeIgniter install by visiting: http://ci.here:8888 but first we need to update our Apache configuration.

Next up we need to modify our httpd.conf file which in a default MAMP installation is located in: /Applications/MAMP/conf/apache/httpd.conf.

Now go ahead and start-up MAMP, everything should come up clean but if for any reason Apache doesn't start up then fire up a terminal window cd to /Applications/MAMP/bin and type the following.

sudo ./startApache.sh

Enter your password and boom, everything should be up and running and your newly created virtual host should be accessible.

For a more complex method which is particularly good if you are going to create multiple virtual hosts or want to run on the default port 80 I highly recommend this article.