Secure Your Wordpress Admin Folder With lighttpd

As you might have guessed, I’m ultra concerned about security. Security isn’t my area of expertise, nor do I claim to have any superior knowledge in the field, but sometimes being ahead of the game can prove beneficial. Shoemoney’s blog has been defaced twice (to my knowledge), simply because he failed to upgrade. This gives me a sense of safety since I not only religiously upgrade, but take additional counter measures as well. One of those counter measures is limiting access to special directories with lighttpd. Let’s get to work.

First, open up your /etc/lighttpd/lighttpd.conf file in your favorite text editor. Add this segment of code just before you start defining your virtual host settings:

$HTTP["remoteip"] !~ "10.10.10.220" {

   $HTTP["url"] =~ "^/wp-admin/" {

     url.access-deny = ( "" )

   }

}

You’ll obviously need to replace 10.10.10.220 with your IP address. This little trick will prevent access to /wp-admin/, and anything below that folder, unless of course they’re coming from your IP. I’m not familiar with a way to spoof the REMOTE_ADDR variable, but I’m sure a method exists through packet editing or something. That’s why there’s an authentiation system & strong passwords (you are using $7r0ng-p@$$w0rd$-r1gHt??!@). If someone is clever enough to spoof their IP address, they must first figure out the IP addresses that are permitted access, and then pass the login screen.

Alright, but lets say you want to write posts from school, or work. Maybe you have contributing authors that need access to the admin panel. No problem, we can add more IP addresses easily. Here’s how:

$HTTP["remoteip"] !~ "10.10.10.220|10.50.20.15|12.12.220.*" {

   $HTTP["url"] =~ "^/wp-admin/" {

     url.access-deny = ( "" )

   }

}

Simply insert a syntax or pipe symbol ( | ) , followed by the IP address you’d like to grant access to. Notice the last IP (12.12.220.*) has an asterisk. This obviously means anyone from the class C .220 can access the admin panel as well. 12.12.200.0-255. Not advised, but possible.

So now you know how to secure and limit access to folders with lighttpd. What are some of the ways you secure your web-sites?