February 11, 2009
Use digest authentication
I've seen several articles that discuss Wordpress security - just search for it - say that you should password protect the wp-admin directory. You can do this easily with Apache by using authentication directives, which allow you, per directory, to require a valid user name and password from a client before serving up any content. As of right now, there are two types of authentication that are prevalent out of the box: basic authentication, and digest autentication.
All the security articles I've read recommend setting up basic authentication. I understand that the point is to have password protected access, but basic authentication is not secure. When your browser is challenged with the basic authorization protocol, the user name and password you enter is just base 64 encoded. If someone intercepted a request header on the way to your server after you've authenticated, there would be virtually no work at all involved in decoding your user name and password.
Alternatively, and just as easily, you can use digest authentication, which is considered to be much more secure than basic. It uses MD5 encryption, and other techniques to make the output nearly one way.
Consider the following exceprts from a .htaccess file:
-
#Use digest authentication
-
AuthType Digest
-
AuthName "private"
-
AuthDigestFile /home/yourusername/.htdigest
-
Require valid-user
-
#Use basic authentication
-
AuthUserFile /home/yourusername/.htpasswd
-
AuthName "restricted"
-
AuthType Basic
-
Require valid-user
Both should be fairly easy to setup with the Auth directives, and Apache ships with CLI tools for easily adding users and password files: htpasswd, and htdigest.
Comments
Leave a replyNo comments