Securing WordPress Admin

In today's online world security is a top concern. For WordPress maintainers keeping your installation, themes, and plugins updated is an essential first step but there are many other things that should be taken into concern. Today I am curious to get your feedback specifically on locking down the admin section of your WordPress site and after collecting those results I will throw together a post with some links to some really great material on locking things down in a more generalized fashion.

Now as far as the admin section goes, I use a server-side technique that requires both a password an me being at a specific IP address to access the wp-admin section. That may be too strict for most, particularly those on mobile so here is a little snippet that will force Apache to require a user name and password (all of which are stored server-side) before even displaying the page.

*** Update: A great discussion resulted on Facebook as a result of sharing this post and I learned something extremely useful. There is a Google Authenticator WordPress Plugin which enables two-factor authentication via the Google Authenticator app/service. I already use this technology for a variety of other sites/services so naturally it was a no brainer to use it for WordPress.

Here is some important information to keep in mind when using this plugin from Justin Dessonville:

"The key is to make sure you have your wordpress general settings timezone set to whatever time zone your phone is in. I'm not sure how this would work if you travel across time zones a lot, but it could potentially lock you out if it's not setup right. Regardless, when both your phone & wordpress instance are set to the same time zone it's been solid for me."

To re-cap: after the update, I am still using Apache/htpasswd to protect the /wp-admin part of the site, but I have removed the IP checking in favor of the 2-factor authentication. I feel just as secure (if not more) and I don't have to worry about tunneling in via VPN to satisfy the IP check.

Your Password

Your Password
With all of the recent security breaches and the fact that many very large organizations are still using encryption routines that were popular over a decade ago we should all take a step back and look at how we manage our online security. Most people that I talk to have a couple passwords that they just recycle for all of their online accounts. Generally one password for sites they don't care much about and then a slightly stronger one for sites that are more important. While this makes recalling your password incredibly simple it also means that if someone were to crack either one of those passwords they would have access to multiple sites and that is definitely a very bad thing.

How do we solve this problem? You could spend hours trying to memorize dozens of unique passwords or you could let technology do all the work. 1Password is an outstanding utility that not only solves the issue of having to remember unique passwords for different sites but it also takes things a step further and enables you to store other types of (encrypted) information.

How does it work? You setup a master password w/ 1Password which "unlocks" the application and grants you access to the credentials/data that have stored in the application. The application can then sync your (encrypted) database via Dropbox to all of your desktop machines, mobile devices, etc. 1Password also integrates with your browser so when you visit a site that it has credentials stored for you can login to the site with just a couple of clicks.

How does this make things more secure? As I said you only need to remember one single password now so you can have 1Password generate a 20-40 character password for each site/service that you login to. This means all of your sites have unique passwords so that if one gets compromised it can't be used on another and the passwords are so long/complex that they are far less likely to be hacked in a brute force attempt. I spoke with a data security specialist whom I think highly of recently and he said that as far as passwords are concerned, length is far more important than complexity. The beautiful thing about 1Password is that you can have your cake and eat it to because their generated passwords are fairly complex (you can even tweak with how complex you want them) and you get to select the length, everything is in your control.

How do I get things setup? The one and only potential downside to 1Password is the cost of entry. The desktop application is $49.99 (single user license) and the universal iOS app (required for using 1Password on Apple mobile devices) is $14.99. You can try the desktop app (and browser plugins) free for 30 days to make sure that the system works for you but after only 5 days into my trial I realized I couldn't live without it and purchased the desktop and mobile versions of the app.

More than anything after reading this article I hope that people stop for a minute and think about how they are securing their online identity and how they might make improvements to that process. I happen to think that 1Password is the ideal solution for managing this type of secure data but there are many other alternatives out there including the open source KeePass, LastPass, RoboForm, and many others.

The World In Links [April, 2012] -- Code, Mobile, Ruby

The World In Links by Nicholas Kreidberg Code - My recently updated projects on Github.
Github - Instantly Beautiful Project Pages.
HTML5 - Toying w/ the HTML5 File System API.
Lifestyle - 8 tips to simplify your work life.
Mobile Security - The top 10 Security Tools For Your Smartphone.
MongoDB - A year with Mongo.
Monitoring - Monitor your Website’s Uptime with Google Docs.
Phono - A simple jQuery plugin and JavaScript library that turns the browser into a phone.
Photography - A showcase of landscape photography.
Ruby - Teach your children Ruby with Kidsruby.
Snippets - Awesome sites to find useful code snippets.
WordPress - Useful action hooks and filters.