0

Given a administrative area with urls like this:

wp-admin/
wp-admin/whatever
wp-admin/another-page
wp-adminsecretlogin

A standard basic-auth coverage would provide a username and password prompt on all three urls, and return a 403 on all failed auth attempts. This is a pretty obvious signal that something exists there, and thus is an invitation to script/brute force access.

I would like to instead, require basic auth everywhere, but when not authenticated, not prompt for username and password, and instead return a 404 not found error for all urls except a wp-adminsecretlogin/ url. At that individual-to-the-site url, basic auth could go through, and unlock the rest of the administrative functionality (though the standard application login would still be necessary).

How would I do that via apache .htaccess or .conf directives?

Kzqai
  • 1,278
  • 4
  • 17
  • 32
  • ..are you sure? Implementation on that would be incredibly hacky and fragile, for a pretty debatable/marginal security gain. – Shane Madden Aug 20 '14 at 21:26
  • There are two advantages that I can see to not providing the basic auth password & username on every admin url: 1: brute forcing of the basic auth cannot be done until the `wp-adminsecretlogin/` url is accessed, and since that url will be a custom one for the site/blog network, that would require prior knowledge of the login url and would generally require tailoring the attack to the unique site/blog network. 2: Returning 404 will mask the standards signals to bots that a wordpress admin section is present, to discourage the frequent brute force scripting attempts that tend to occur. – Kzqai Aug 20 '14 at 21:37

2 Answers2

1

Assuming you've already set up something to require the authentication on all of the target URLs (both wp-admin and the secret URL), put this in your virtual host block:

RewriteCond %{LA-U:REMOTE_USER} ^$
RewriteRule wp-admin/ - [R=404]

I haven't tested so I'm not entirely sure if it'll successfully short-circuit the 401 response that the authentication phase would normally send back, but it's worth a shot.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
0

A basic auth config would respond with 401 if user/pass is incorrect. 403 (in authentication context) is reserved to authenticated users with no permissions to access (i.e. you have got two users on the AuthUserFile but also a Require user1 and try to access with user2 with correct password)

403 is also presented when trying to list a directory directly without properly configured autoindex/directoryindex, deny from directives, forbiding rules by mod_rewrite or mod_security, etc. so it usually indicates not much.

Asking for basic auth on Location /wp-adminsecretlogin and having a RewriteRule like the one Shane provided could work ([R] only accepts 30x error codes, so it may not return a 404 correctly to the browser, but a 301), but it depends heavily on your browser and how you browse your web:

As the web server would require authentication only on a certain path, the browser could not present the basic auth header on requests that did not fire a 401 response previously, so if the very first request from your browser is to /adminsecretlogin, it could work (the browser assumes everything would ask for basic auth), but if you previously tried to access / or /wp-admin (no 401 response back to the browser), the browser could "think" those other contexts are public and not present the basic auth header, so the rewriterule would "deny" the access.

NuTTyX
  • 1,128
  • 5
  • 10