We have done some penetration testing on a wordpress site and one of the issues that has been returned is:
An administration portal is accessible via the Internet
- It is recommended that access to this portal is prevented via the Internet
As the site is a web based cms is this even possible to fix? This is not my area of expertise and i'm struggling to find a way to fix this.
Can anyone help?
Thanks
On
It is recommended that access to this portal is prevented via the Internet
That's too vague of a point, and that's the fault of the people doing the pentest and the pentest software.
But start with http://codex.wordpress.org/Brute_Force_Attacks and http://codex.wordpress.org/Hardening_WordPress
In order to restrict access to the admin area by whitelisting IPs 12.345.67.891 and 23.456.78.99 for admin access, in the .htaccess in wp-admin add:
Options All -Indexes
order deny,allow
deny from all
allow from 12.345.67.891
allow from 23.456.78.99
deny from all
In the root .htaccess
<Files wp-login.php>
order deny,allow
deny from all
allow from 12.345.67.891
allow from 23.456.78.99
deny from all
</Files>
If you calculate the range, you can also use, i.e. 12.345.67.0/24
You can also obscure the fact that you are using WordPress (not an ideal solution), be sure your hosting situation is secure, and try other best practice suggestions at those links to the Codex.
And see https://wordpress.stackexchange.com/questions/tagged/security
As far as I know , you can not restrict in way which you want. But you can do like allow admin access to specific user by IP address. Like if you want that no one should access your wp admin other than you then you can achieve this by specified your ip in .htaccess.