0

Given a administrative area with urls like this:

wp-admin/ wp-admin/whatever wp-admin/another-page wp-adminsecretlogin

A standard basic-auth coverage would provide a username and password prompt on all three urls, and return a 403 on all failed auth attempts. This is a pretty obvious signal that something exists there, and thus is an invitation to script/brute force access.

I would like to instead, require basic auth everywhere, but when not authenticated, not prompt for username and password, and instead return a 404 not found error for all urls except a wp-adminsecretlogin/ url. At that individual-to-the-site url, basic auth could go through, and unlock the rest of the administrative functionality (though the standard application login would still be necessary).

How would I do that via apache .htaccess or .conf directives?

Improve this question
2
  • ..are you sure? Implementation on that would be incredibly hacky and fragile, for a pretty debatable/marginal security gain. Commented Aug 20, 2014 at 21:26
  • There are two advantages that I can see to not providing the basic auth password & username on every admin url: 1: brute forcing of the basic auth cannot be done until the wp-adminsecretlogin/ url is accessed, and since that url will be a custom one for the site/blog network, that would require prior knowledge of the login url and would generally require tailoring the attack to the unique site/blog network. 2: Returning 404 will mask the standards signals to bots that a wordpress admin section is present, to discourage the frequent brute force scripting attempts that tend to occur. Commented Aug 20, 2014 at 21:37

2 Answers 2

Reset to default
1

Assuming you've already set up something to require the authentication on all of the target URLs (both wp-admin and the secret URL), put this in your virtual host block:

RewriteCond %{LA-U:REMOTE_USER} ^$ RewriteRule wp-admin/ - [R=404]

I haven't tested so I'm not entirely sure if it'll successfully short-circuit the 401 response that the authentication phase would normally send back, but it's worth a shot.

Improve this answer
0

A basic auth config would respond with 401 if user/pass is incorrect. 403 (in authentication context) is reserved to authenticated users with no permissions to access (i.e. you have got two users on the AuthUserFile but also a Require user1 and try to access with user2 with correct password)

403 is also presented when trying to list a directory directly without properly configured autoindex/directoryindex, deny from directives, forbiding rules by mod_rewrite or mod_security, etc. so it usually indicates not much.

Asking for basic auth on Location /wp-adminsecretlogin and having a RewriteRule like the one Shane provided could work ([R] only accepts 30x error codes, so it may not return a 404 correctly to the browser, but a 301), but it depends heavily on your browser and how you browse your web:

As the web server would require authentication only on a certain path, the browser could not present the basic auth header on requests that did not fire a 401 response previously, so if the very first request from your browser is to /adminsecretlogin, it could work (the browser assumes everything would ask for basic auth), but if you previously tried to access / or /wp-admin (no 401 response back to the browser), the browser could "think" those other contexts are public and not present the basic auth header, so the rewriterule would "deny" the access.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.