4

Say I have a website running a popular CMS like Wordpress only over SSL through HTTP Strict Transport Security. Prior, the backend administrator login page could be accessed by anybody simply by adding /wp-admin to the URL, but using a mix of mod_rewrite and a plugin, it is now obfuscated and stops brute force attacks.

Now, what if HTTP Digest Authentication was added to the picture? An attacker that somehow found the login page would be faced with another obstacle they'd need to overcome. Does this provide any improvement on security or is it just pointless?

Python Novice
  • 531
  • 1
  • 6
  • 11
  • 1
    You mean using HTTP Digest Authentication prior to the WordPress authentication? There are certainly easier ways to get into WordPress than via the login page: third party plugins and other customizations. – Gumbo May 07 '14 at 19:41
  • Yes. Once the attacker hits the login page, they must pass HTTP Digest Auth. If they can't they will be redirected to home page. If somehow they manage, then they'll get access to the login page. Assume that there are no vulnerable plugins. Wordpress was just an example to illustrate the scenario. – Python Novice May 07 '14 at 19:46

2 Answers2

2

Yes, this adds some defense in depth, assuming the digest auth (or even Basic auth) is done by the webserver. This would require requests to be authenticated before even hitting your application, meaning an attacker would be unable to exploit any vulnerabilities that might exist in the admin login.

That being said, is the security margin added by this sufficient to warrant the inconvenience to legitimate users? Depends on your threat model & comfort in the security of your application.

David
  • 15,814
  • 3
  • 48
  • 73
2

Security is increased through the use of multiple layers and techniques. You would be able to slow down the attacker, but as noted in the comments to your question there are still plenty of ways to attack a wordpress site - there is not a high degree of seperation between components, databases, etc in a vanilla install. Ensure the digest auth is also TLS/HTTPS encryption.

Your root goal is to prevent unauthorized access to a certain part of the site. Instead of putting up a block, you can instead whitelist IPs that you allow to access the site and its sub-directories. This effectively makes the admin parts inaccessible, I often do something like this in "admin folders" in my .htaccess

ErrorDocument 403 http://www.your-ip-is-not-allowed-to-access-this-section.com
Order deny,allow
Deny from all
Allow from XX.XX.XX.XX
Eric G
  • 9,691
  • 4
  • 31
  • 58