Secure Your Wordpress Blog Administration With Two-Factor Authentication

Want to support HowtoForge? Become a subscriber!
 
Submitted by nowen (Contact Author) (Forums) on Thu, 2009-09-10 12:01. :: Linux | Apache | Security

Secure Your Wordpress Blog Administration With Two-Factor Authentication

Wordpress is a very popular blogging service. It was recently hit by a disturbing vulnerability that allowed attackers to reset the Administrator's password. While there is a patch for that vulnerability now, wouldn't it be best to not use static passwords?

It is actually quite simple to add two-factor authentication to Wordpress.

First download and install the http authentication plugin for Wordpress. This plugin allows you to use your webserver for authentication, in our case Apache. We've already covered how to add two-factor authentication to Apache using radius.

Activate the plugin in Wordpress:

Be sure to add your WiKID username as an administrator in Wordpress. Obviously, you can add the Admin user to WiKID as well, but it might be better to have a separate account.

Now, restrict /wp-admin/ and wp-login.php in Apache: 

<FilesMatch "wp-login\.php$"> 
   Satisfy all
   AuthType Basic
   AuthBasicProvider xradius
   AuthName "Please enter your username and WiKID one-time passcode."
   AuthXRadiusAddServer "192.168.1.171:1812" "openid_secret"
   AuthXRadiusTimeout 7
   AuthXRadiusRetries 2
  require valid-user
</FilesMatch>
<Location /wp-admin>
   Satisfy all
   AuthType Basic
   AuthBasicProvider xradius
   AuthName "Please enter your username and WiKID one-time passcode."
   AuthXRadiusAddServer "192.168.1.171:1812" "openid_secret"
   AuthXRadiusTimeout
   AuthXRadiusRetries 2
   require valid-user
</Location>

Now when you try to access the administration section of Wordpress, you will be prompted for your WiKID username and the one-time passcode.

You can protect the entire blog by making the location /wordpress/. You should also be able to use the WiKID Strong Authentiction Community Edition server and mod_auth_ldap instead of Radius.


Copyright © 2009 Nick Owen
All Rights Reserved.
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
ShieldPass gives better two factor WordPress authentication
Submitted by Matt (not registered) on Wed, 2011-09-21 11:32.
You could also mention https://www.shieldpass.com which has a nice plugin for WordPress. Its security advantage is it can enable transaction authentication which prevents MITM attacks. Say for example the attacker has electronic access to your operating system or mobile then its game over through a MITM or MITB attack and that would include other OTP tokens etc. Shieldpass is based on the passwindow authentication method.
reply | view as pdf view as pdf
Good Information
Submitted by Mihir Patel (not registered) on Mon, 2009-09-14 18:10.

Hello,

 Nowadays many peoples are using wordpress and they dont know about this kind of security. It's good to see you.

 I think every one should try to protect.

 Thanks for the sharing. It's very useful to me and i am sure to everyone.

 Regards,
Mihir Patel
ask4itsolutions.com

reply | view as pdf view as pdf
Or, generate your own */wp-admin/.htaccess file
Submitted by Kirk (not registered) on Fri, 2009-09-11 03:12.

This is another, simple way: http://www.reubenyau.com/protecting-the-wordpress-wp-admin-folder/

reply | view as pdf view as pdf