WordPress - Security Risk? [closed]
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this questionI have a WordPress site and the following link is accessible: www.domain.com/wp-admin/ (obviously not the real domain name). Someone told me that this is a security risk. Any truth to this?
In essence, the more information an attacker has about your setup, the worse off you are.
That being said, however, the information gained by knowing your admin login page is pretty trivial - as it's the default login location for all WordPress sites. Therefore, once an attacker figured out your site was a WordPress site, he/she would naturally try that link.
As long as you keep your WordPress files up to date, the only thing you're really vulnerable (that you would be protected from if that page was inaccessible) to is an 0day on that specific page...
So, really, it doesn't matter much either way. Personally, I would deny access to that as much as was convenient - but, on the other hand, you may like having that link always open so you can login and admin your site from anywhere. I dare say you'll be fine either way, so long as you have sufficiently strong passwords.
Update: Another thing to consider, the login pages of (well-written, tested)open-source software are rarely ever the point of failure for authentication attacks. Usually, compromising a system involves disclosure of credentials using another vulnerable page, and then using the login page as it was intended to be used. The WordPress devs have combed over the code in your login page because they know it's going to be the first place that anybody looks for an exploit. I would be more concerned about any extensions you're running than leaving the login page viewable by the public.
That's simply Wordpress. Nothing inherently wrong with it. But if you are concerned overall with security, see http://codex.wordpress.org/Hardening_WordPress and http://www.reaper-x.com/2007/09/01/hardening-wordpress-with-mod-rewrite-and-htaccess/ and http://www.whoishostingthis.com/blog/2010/05/24/hardening-wordpress/ etc., on protecting admin with .htaccess, removing some WP identifiable clues, changing the database prefix, SSL access, and on and on. Some things are more worthwhile to do than others, some more obscurity than security, but it's all a learning experience.
Well a lot of sites have open wp-admin , however you can put in a .htaccess file and password protect the directory, provided you are on apache.
it's not a big deal... there's a lot of stuff to avoid it being there... you could even have your whole wp install in a subdirectory of the server
Not sure for WordPress, but I know at least two e-commerce softwares (Zen Cart and PrestaShop) recommending to rename the admin directory to some other name (and not to print the URL in orders...).
Perhaps there are some known exploits using this information...
加载中,请稍侯......
精彩评论