Mengganti Nama Folder wp-admin

Untuk yang gemar hacking dan cracking program kususnya pada web application yang mengenal WordPress tentu sering bertanya-tanya tetang judul di atas. Hal ini sangat penting sekali buat situs kita dengan satu dan alasan tertentu. Salah satunya guna mengecoh para hacker lain agar tidak mengotak atik jantung situs kita yang kita pasagan dengan aplikasi wordpress ini. Langsung saja berikut prosedur atau langkah-langkah yang mesti ditempuh yang saya peroleh dari sana sini.

1. Dengan menggunakan .htaccess

Kopas kode .htaccess di bawah ini dan simpan di root web host anda atau terserah anda suka, misalnya kalau di linux biasanya ada di ~/public_html atau di /var/www

  • GantiYOURSECRETWORDHERE dengan kata-kata yang unik dan buat anda sendiri
  • Rubah ADMINFOLDER dengan nama yang anda suka atau biar susah dilacak pakau nama yang berunsur huruf, garis bawah, dll

RewriteEngine On
RewriteBase /
##### KODE DI ATAS SUDAH ADA BAWAAN DARI WORDPRESS.
##### Tambahkan kode berikut yang saya peroleh daro Michi’s  #####
RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !MASUKKANKODERAHASIAANDADISINI
RewriteRule .*\.php [F,L]
RewriteCond %{QUERY_STRING} !MASUKKANKODERAHASIAANDADISINI
RewriteRule ^ADMINFOLDER/(.*) wp-admin/$1?%{QUERY_STRING}&MASUKKANKODERAHASIAANDADISINI [L]
##### Michi’s code is ABOVE #####
##### KODE DI BAWAH INI JUGA BAWAANNYA WORDPRESS
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Bila ada error silahkan di hack lagi .htaccess di atas

But it’s on the right track. The .htaccess file can do a lot.

Nah, beneran di antara pembaca tulisan di sini ada yang jago hacking juga neh,,,,makanya kasih nama wp-admin nya dengan nama yang berunsur aneh2 aja deh


Baiknya baca juga referensi ini digg.com/videos

 

Matikan folder wp-admin dan buatlah folder bayangannya

Ada dua cara untuk mematikan folder wp-admin ini. Langkah yang pertama biarkan folder wp-admin tetap aktif karena masih banyak file dan terutama css yang menginduk ke sana dan hal ini tidak mudah. Jadi setelah kita bunuh folder wp-admin ini tentunya ada beberapa kondisi yang harus dibuat.

RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !MASUKKANKODERAHASIAANDADISINI
RewriteRule .*\.php [F,L]

  1. Baris pertama mengondisikan  “jika kata wp-admin ditemukan pada URL… maka…..”
  2. Baris kedua mensyaratkan, “And if the query is missing our password…
  3. Baris ketika mengkondisikan “And it’s a PHP file… Deny access.”

Nah kode di atas akan menyebabkan bila ada yang browsing ke alamat /wp-admin akan dikatakan tidak ada atau menghasilkan kode 404

Langkah berikuntya adalah menyiapkan nama bayangan atau pengganti wp-admin dengan nama lain misalnya dengan membuat folder admin! Sebut aja folder tadi sebagai “secret_room”. Nah berikut adalah kodenya:

RewriteCond %{QUERY_STRING} !MASUKKANKODERAHASIAANDADISINI
RewriteRule ^secret_room/(.*) wp-admin/$1?%{QUERY_STRING}&MASUKKANKODERAHASIAANDADISINI [L]

Duh capek nerjemahin sama ngetiknyaaaaaaaaaae. :) Baca aja sendiri kalau gak langsung aja cekidot ke sumbernya di sini:

  1. WP-Support
  2. Michico

The first part basically makes sure the rule doesn’t trigger itself later (recursive condition). This is basically saying “if the URL starts with ‘secret_room,’ then replace that part with wp-admin. Then, add in the query string (things after the question mark). Finally, add in the secret word.”

Kalau mau login tentunya anda harus masuk ke folder yang sudah kita buat sebelumnya seperti secret_room/, ini akan berfungsi sebagaimana anda masuk ke wp-admin

Don’t use “secret_room.” That’s my example. You use whatever folder name you want. Letters, numbers, underscores, and dashes only.

But we’re not done yet. That secret word thing needs to be customized. Why? Well, try this. Go to your blog’s wp-admin folder, but this time, add on “?YOURSECRETWORDHERE” on the end and it will work too (as in, myblog.com/wp-admin/?YOURSECRETWORDHERE)! Curious why? If you’re a little geeky, read the next block. Otherwise, skip it.

Well, this hack works by changing the URL you type in by adding that “secret word” on the end of it. It only does this when someone visits the “secret_room” folder. But it doesn’t add it on when you just type in the wp-admin/ folder (or any other location). Then, when someone is looking at a wp-admin folder, it looks to see if that secret word is in the URL. If you went to the URL by hand, you likely did not type that word in. But the “secret_room” always makes sure the secret word is attached. This is how it distinguishes between visiting wp-admin directly, and visiting it through the mirror folder. Remember that any re-writing of the URL happens behind the scenes, so your browser won’t show you what’s going on.

Since I just gave this same code to about 10,000 people, it’s in your best interest to change your secret word to be unique to you. Note that nobody will ever see it, including you. You will forget what it is, and realistically, it doesn’t matter what the hell you set it to. As long as it’s not the default one I just gave to you. Ideally, it should be long and something highly unlikely to appear in a URL. Try your name, then maybe add your favorite color. I don’t know. Just do something random. Case matters.

Here is what the final .htaccess, ideally, should look like:

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule .*\.php [F,L]
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule ^secret_room/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORDHERE [L]
# BEGIN WordPress
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Benefits and Drawbacks to Hiding wp-admin

This hack has its drawbacks.

  • The “edit” link on your posts will no longer work. You may want to remove it from your theme.
  • The admin link on your side bar will no longer work. You may want to remove it from your theme.
  • The standard login link will no longer work. Instead, use a bookmark as it will redirect you back to your hidden login page after you finish logging in.

Note that the first two drawbacks can be addressed by editing wp-includes/link-template.php: line 248 and 263. Change “wp-admin” to your new folder name. However, this hack would need to be re-done if you upgrade WordPress. If you make these hacks, it will only be visible to users who have permission to see these links anyway.

There are a few significant upsides:

  • If ever again there is another vulnerability that hits the WordPress wp-admin folder, you are very likely immune.
  • Upgrading WordPress doesn’t un-hide the folder. It will persist through upgrades.

Remember, this hack will not protect you from having an insecure admin password. Although, it could protect you from a hacker since he won’t know where to go after successfully logging in (hah!).

Lastly, be careful when doing this. If you type something wrong, you’ll get server errors (I believe error code 500). Make sure you type it in exactly as you see it in these examples first. Then change one part at a time.

Changing the Admin User

One other point I noticed when tightening up my security was the default admin user name. Now, hah, this is assuming they actually brute force my password and then figure out how to get to the admin folder… good luck.

I noticed that I had an admin user account under the login name “admin”. Well, that’s a no-brainer. I went into the database and ran the following query:

UPDATE wpt_users SET user_login = ‘[my new username]‘, user_nicename = ‘[my new username]‘ WHERE wpt_users.ID = 1 LIMIT 1;

That solves another part of the problem. Now hackers have to guess not only my password, but also my username.

In Closing…

Iklan

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: