How To Secure Your Admin Login Page 

Knowing people, no one would use that except the most experienced people.

wordpress would drop like half it's userbase then 😂

I don't really see how the defaults are any bad. Most problems come from brute-forcing a password, which is really the fault of the user. Rate limits can be quite useful as well, but they heavily depend on what normal traffic looks like for a given website.

It's called fedora server with se Linux on by default. You can't make it do anything without a 6 inch thick neck beard and everyone who's ever posted on stack overflow on speed dial... it's my daily driver.

*Ernst Zermelo wants to know your location*

the thing with storing my passwords is, i can't manage a DB i have a single drive if it fails i am doomed and i need to access my passwords in college from my phone and such, so i settled with Bit Warden. I just switched to Arch btw.

@@DeeezNuts i mean just save it to a cloud or something, still better than completely relying on using an online service

@@DeeezNuts adding more to Meze's reply, you can just autosync the files/database using cloud like One Drive and pCloud.

“I use Arch btw” lmaoo

@@meze2095 I save my KeePass .kdbx file to a usb I use for storing files

yea i remember that worpress have shit where u can bruteforce admin name by author parameter

wp-config.php

There's lots of documentation and books about website security out there. Or anything about websites for that matter.

I've read that having your 2FA in the same place as your passwords defeats the purpose of 2FA. That's why I use aegis which is password protected.

@@HyuLilium yeah isn't the whole point to have "two" factors?

@@HyuLilium not necessarily.

@@SuperTort0ise You still have two factors assuming your keepass database is not compromised. Which is why you should keep your database on a disconnected device.

@@HyuLilium accessing the database file also requires a password so using aegis or kpxc will most likely produce the same results. if you're concerned with such attack vector then you are free to make another database file with a different strong password, which some would do. I will still stick to KPXC just because I can bring the database file anywhere and interoperate between other apps like the aforementioned KPDX on android. Whatever it may be, its better off than letting your browser/google account handle all the passwords.

isn't there meta tags to prevent google from indexing? will it work or no.

@@wwxkz probably idk, not web dev

@@wwxkz but then the hacker would just search for the robots.txt file

@@ScienceOrbits yes but say you put allow /home or something, and deny /* There's no useful info

Have you heard of “Stuxnet”? If you have not you will be really disappointed in your idea.

Wasn’t thinking of it like that. Thankg g

facts

preferred security measures are to use ups http requests. only downside is the 5-10 business day latency.

@@pluto8404 Ever heard of a reverse-proxy?

RU-vid on their way to let the spammers do their thing, yet not allowing normal human beings comment.

THANKS

Newb cosplaying as a sysadmin here. Any tips or resources you could share to help protect our WordPress/Php sites on on a linux-based Apache server? Sounds like you know what is up. Best regards.

Love to see some WordPress support in the comments

Honestly, I don't really like WordPress. It does have a huge ecosystem of plugins and does its job quite well, but to me, it usually seems a bit overkill for what usually amounts to something that could be done with static Html/CSS. No hate towards WordPress, they've found a certain niche and filled it reasonably well. Also, let's not judge products by market share, since then Windows would be the best OS of all time. :)

@@rkvkydqf if you’re talking consumer computers, if you count everything else (servers, phones, etc.) you would see the Linux kernel dominates windows.

@@rkvkydqf I agree that a CMS in general is overkill if you are just trying to serve up a simple static site. But what if you need a database and dynamic content? e-commerce perhaps? Well then static just won't do. It really is about knowing what is the right tool for the job. Static sites are good for simple projects that won't require constant content updates. WordPress is my go-to for anything that I may need to hand off to a no-code client (most clients) or anything I may need to significantly expand functionality later (most projects). If you are handing off a website to a client who knows nothing about code, a static site makes them feel like they don't have control over their own website. They will have no idea what to do with the HTML/Css/Js. WordPress and Windows aren't at the top bc they're the "best." they're at the top bc they're the most accessible and most practical for the most people. Although as another commenter said Linux beats Windows if you include non-PCs. Based open source software 😁 For me it's about the time it saves & the empowerment it gives clients, especially those with a smaller budget. With WordPress, you don't have to keep reinventing the wheel. Just install the right plugin. Maybe you will have to add some custom code for it to do EXACTLY what you want, but that is the fun part. I am not trying to convince anybody WordPress is great for every situation, but it is popular for a reason. 😃

@@rkvkydqf Wordpress is not a "niche", 43% marketshare is not a "niche". As far as "learn to code" goes, well, nobody gives a shit about learning HTML/CSS. What's more, 90% of us simply don't have the minimum required IQ to even comprehend abstract concept behind computer code.

I wish I could, but everyone is so lazy they throw in 10MB of Javascript and a database to deliver what amounts to a simple HTML page...

@Sdendix Pir nothing. you have to write html yourself

+ Enforce SSL

One tip to secure your server: Uninstall systemd

@@Sv5YpWTwd9otTA4So83f And have less security? Stupid argument you make there but I guess you didn't got your fish.

The problem is, WP has a small problem when it comes to finding out a username. With a specific url I can tell you your Admin Username

@@monkaSisLife do you know the url or any article where it's described?

@@fedo9644 I think he meant, given a url I can determine the admin username from that url.

The default username allows for rainbow table attacks on the credential database. Though a strong password mitigates this thread.

A username is relatively easy to figure out because it wasn't ever intended as private data. A secure password would be a much more productive use of time.

What are the extra precautions? Changing the port doesn't do much to ssh security wise, nor changing it back, you might just get failed ssh attempts in your logs which can be managed with fail2ban

Changing ports is just security through obscurity.

He’s a Gentoo Linux user what do you expect? XD

the actual security in my neighborhood wifi connections

make sure you use a password manager to remember that

LL

didnt onionshare already do that?

@@nerelada3963 i didnt know that amma go check it thank you

Yup. No reason to use an admin username that isn't at least twenty characters and a mix of random letters and numbers.

@@Sv5YpWTwd9otTA4So83f typing "admin" on my own website makes me feel powerful

That’s just security through obscurity. The version can be determined anyways.

@@someone7826 Showing which version is used is like outright showing the attackers the list of CVE's im affected by.

@ The attacker will find out anyways. That measurement provides a false sense of safety.

@@someone7826 I'm so done with this "security through obscurity" garbage putdown. Obfuscation is a reduction of attack surface. Yes, by itself, it's not very useful. And if used improperly, its worthless. But it's a support tool in a combined arms approach. Changing usernames to something that's as hard to predict as the password, AND creating automatic ban procedures for any IP/thumbprint combos that ever attempt to login with default usernames, is an easy layer of cloth against the wind. Apply the same to URLs and ports and now it's three layers against the wind. Combine that with other layers and you're all the more insulated.

that would be cool

FBI, OPEN UP!

@@qbasic16 hentai is not illegal. It's just animated porn

so why didn't you do it ? you can't

There's no inherent security issues with PHP. A lot of amateur developers are attracted to the language for some reason though, you definitely see a lot more insecure configs and code from PHP land.

hackers hate this tip

Imagine blaming a programming language instead of the actually horrible developers working on and with WP.

THE BEST COMPUTER security tip - don't use computers

@@lgibson02 it's all of those free hosting providers. They all accept nothing but PHP for scripting.

A selfhosted VPN like wireguard and keeping all your other services on the internal network would probably suffice for that usecase.

A reverse proxy like nginx or caddy

@liQQiRichii Wireguard is really easy if you use a docker container tho. I set mine up in like 10 minutes. It’s also built in the kernel so I think long term Wireguard will be fine too.

An easy to remember password isn't very good to do, and 2-factor code does help, but is surprisingly easy to crack on things like WordPress. With people who know how to get it, they can track and decode the remote server changes, some of them being 2-factor resets.

2FA is a load of crap. It sounds great on the surface, but it's an annoyance for users and little more than a setback for competent attackers. I question why we even have a password anymore at all because they send a one time authentication code every. god. damned. time. The whole purpose of a "password" is to "pass" with a "word" If the password doesn't grant access, it's just an arbitrary, meaningless engagement that effectively does nothing except add a step in the login process making it more time-consuming.

Distributed attacks

Ahh thanks so like zombie machines each getting 3 attempts at a time?

@@worldwide_wes but thats gonna get the account flagged, multiple devices trying to access 1 account is sus

@@DeeezNuts well that was my initial question