Twitter
Facebook
LinkedIn
Google
Flickr
YouTube
RSSHow to protect your wp-admin folder when you have a dynamic IP address
Oct 5
How-To Guides No Comments
address, bash, blog, change, changing, directory, dynamic, file, folder, hosted, htaccess, ip, linux, mac, osx, page, password, php, protect, restrict, script, secure, security, unix, weblog, wordpress, wp-admin
Wordpress
If you have a self-hosted WordPress blog, I hope that you are thinking about security. The best thing you can do is to use the automatic updates so you always have the current version of WordPress.
One of the most pernicious hacks someone can do to your blog is to access to your wp-admin folder. This folder contains the back-end PHP pages of your site where you control everything and write your posts.
Via your web-host’s control panel you might be able to password protect this directory, although that could still be brute forced. An alternative method, which is well documented (see reference links below), is to create a “.htaccess” file in your wp-admin directory, with which you can limit access to a specific set of IP addresses. E.g. your home IP address and your work IP address. See the references below for links on how to write this.
This method is perfect for locking down and restricting who can access your admin pages without having to go through any sort of manual authentication. I held off doing this for a long time because my ISP assigns dynamic IP addresses, and my Netgear router needs frequent reboots. So my IP address changes a lot, so I’d keep getting locked out of my own blog!
To get around this, I thought of a script I could write to keep my wp-admin’s .htaccess file automatically updated! You could even use this if you took your laptop away from home and connected on another network, as your laptop will have your ssh keys installed. Try to stickto using a secure VPN though, just on principal 
Sorry, it’s a bash script, so if you use Windows you’ll be stuck unless you install the cygwin environment and PuTTY. If you use a Mac, I’m sure you can switch on the bash shell.
Without further ado, here’s the script:
Note: make sure you have cURL installed first.
#! /bin/bash
# Auto-update .htaccess in http://your-blog/wp-admin/
# Run this from cron on a short interval.
# This will grab your IP address, and then rewrite the
# .htaccess file and use scp to upload to your server.
#
# David.R.Gilson 3rd October 2009
# http://www.davidgilson.co.uk
# I distrobute this under the Creative Commons AttributionShare Alike license.
# http://creativecommons.org/licenses/by-sa/3.0/
cd ~
# Grab your external IP address.
ip="$(curl www.whatismyip.org)"
ip="$(curl -s checkip.dyndns.org|sed -e 's/.*Current IP Address: //' -e 's/<.*$//')"
# Write the file.
echo "AuthUserFile /dev/null" > htacc.txt
echo "AuthGroupFile /dev/null" >> htacc.txt
echo -e "AuthName \042Limit wp-admin access\042" >> htacc.txt
echo "AuthType Basic" >> htacc.txt
echo "<LIMIT GET>" >> htacc.txt
echo "order deny,allow" >> htacc.txt
echo "deny from all" >> htacc.txt
echo "# Whitelist home router" >> htacc.txt
echo "allow from "$ip >> htacc.txt
echo "</LIMIT>" >> htacc.txt
# Copy to server
scp htacc.txt [YOUR SSH LOGIN HERE]:"~/www/wp-admin/.htaccess"
# Clean up
rm htacc.txt
Once you’ve pasted all that into a file (I named mine htaccessupdate.sh), remember to make it executable by typing chmod +x htaccessupdate.sh.
References
- script to get the external IP address
- adding strings in bash
- BASH escape characters
- Protecting the WordPress wp-admin folder
- Three tips to protect your WordPress installation
- Protect WordPress From Hackers Safe wp-admin folder
- cURL
- PuTTY
- Cygwin
