Penetration testing - It is recommended that access to this portal is prevented via the Internet

257 views Asked by At

We have done some penetration testing on a wordpress site and one of the issues that has been returned is:

An administration portal is accessible via the Internet

  • It is recommended that access to this portal is prevented via the Internet

As the site is a web based cms is this even possible to fix? This is not my area of expertise and i'm struggling to find a way to fix this.

Can anyone help?

Thanks

2

There are 2 answers

0
Helping Hands On

As far as I know , you can not restrict in way which you want. But you can do like allow admin access to specific user by IP address. Like if you want that no one should access your wp admin other than you then you can achieve this by specified your ip in .htaccess.

0
markratledge On

It is recommended that access to this portal is prevented via the Internet

That's too vague of a point, and that's the fault of the people doing the pentest and the pentest software.

But start with http://codex.wordpress.org/Brute_Force_Attacks and http://codex.wordpress.org/Hardening_WordPress

In order to restrict access to the admin area by whitelisting IPs 12.345.67.891 and 23.456.78.99 for admin access, in the .htaccess in wp-admin add:

Options All -Indexes

order deny,allow
deny from all
allow from 12.345.67.891
allow from 23.456.78.99
deny from all

In the root .htaccess

<Files wp-login.php>
order deny,allow
deny from all
allow from 12.345.67.891
allow from 23.456.78.99
deny from all
</Files>

If you calculate the range, you can also use, i.e. 12.345.67.0/24

You can also obscure the fact that you are using WordPress (not an ideal solution), be sure your hosting situation is secure, and try other best practice suggestions at those links to the Codex.

And see https://wordpress.stackexchange.com/questions/tagged/security