Secure Your Wordpress Blog Administration With Two-Factor Authentication

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Submitted by nowen (Contact Author) (Forums) on Thu, 2009-09-10 12:01. :: Linux | Apache | Security

Secure Your Wordpress Blog Administration With Two-Factor Authentication

Wordpress is a very popular blogging service. It was recently hit by a disturbing vulnerability that allowed attackers to reset the Administrator's password. While there is a patch for that vulnerability now, wouldn't it be best to not use static passwords?

It is actually quite simple to add two-factor authentication to Wordpress.

First download and install the http authentication plugin for Wordpress. This plugin allows you to use your webserver for authentication, in our case Apache. We've already covered how to add two-factor authentication to Apache using radius.

Activate the plugin in Wordpress:

Be sure to add your WiKID username as an administrator in Wordpress. Obviously, you can add the Admin user to WiKID as well, but it might be better to have a separate account.

Now, restrict /wp-admin/ and wp-login.php in Apache:

<FilesMatch "wp-login\.php$"> 
   Satisfy all
   AuthType Basic
   AuthBasicProvider xradius
   AuthName "Please enter your username and WiKID one-time passcode."
   AuthXRadiusAddServer "192.168.1.171:1812" "openid_secret"
   AuthXRadiusTimeout 7
   AuthXRadiusRetries 2
  require valid-user
</FilesMatch>
<Location /wp-admin>
   Satisfy all
   AuthType Basic
   AuthBasicProvider xradius
   AuthName "Please enter your username and WiKID one-time passcode."
   AuthXRadiusAddServer "192.168.1.171:1812" "openid_secret"
   AuthXRadiusTimeout
   AuthXRadiusRetries 2
   require valid-user
</Location>

Now when you try to access the administration section of Wordpress, you will be prompted for your WiKID username and the one-time passcode.

You can protect the entire blog by making the location /wordpress/. You should also be able to use the WiKID Strong Authentiction Community Edition server and mod_auth_ldap instead of Radius.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Mihir Patel (not registered) on Mon, 2009-09-14 18:10.

Hello,

 Nowadays many peoples are using wordpress and they dont know about this kind of security. It's good to see you.

 I think every one should try to protect.

 Thanks for the sharing. It's very useful to me and i am sure to everyone.

 Regards,
Mihir Patel
ask4itsolutions.com

Submitted by Kirk (not registered) on Fri, 2009-09-11 03:12.
Sponsored Links: Unified Communications: Thoughts, Strategies and Predictions
Join the discussion.
www.seamlessenterprise.com

IP Convergence
Integrate your wireless and wireline networks.
Learn how from the experts at Sprint.
www.seamlessenterprise.com

Wireless & Wireline Integration
Thoughts, strategies and solutions: join the discussion
www.seamlessenterprise.com

Unified Communications 2009
Join the Discussion. Now.
www.seamlessenterprise.com

Red Hat Virtual Experience - a free virtual event. Dec. 9th