Some time ago I noticed that my wordpress hacks are being hacked by logging into the backend of the website. A bot or a hacker is trying to do this using a set of passwords. I decided to secure the website’s backend by requiring additional authentication. In nginxe we can set this up by:
|
1 2 3 4 5 6 7 8 9 10 11 |
location ~ ^/(wp-admin|wp-login\.php) { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://upstream-webservers; proxy_redirect https://upstream-webservers http://upstream-webservers; expires off; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } |
We still need to provide the username for authorization and save to the file (/etc/nginx/.htpasswd) as we entered in the nginx configuration file. In “my_user_name”, replace the login of the user with which we will be authorized.:
|
1 |
# echo -n 'my_user_name:' >> /etc/nginx/.htpasswd |
And the encrypted password has been set by openssl:
|
1 |
# openssl passwd -apr1 >> /etc/nginx/.htpasswd |
Openssl will ask you to come up with a password and enter it twice:
As a result, we will get a file with an encrypted password:
Before reloading nginx, we do a configuration verification:
|
1 |
# service nginx configtest |
If everything is set correctly, we should receive the following message:
Now we can restart the service nginx:
|
1 |
# service nginx restart |
The final verification will be to log in to the backend (e.g. www.example-page-wordpress.pl/wp-admin/), as a result, we should be asked for the login and password that we created above:
This is a simple trick to protect your wordpress from bot attacks. However, it should be remembered that we do not share passwords with anyone and setting default usernames and simple passwords is asking for a problem.