Plugin Author
AITpro
(@aitpro)
The true origin of the example .htaccess code above can be found in the link below and it also includes detailed explanations on how to use this code. Beware of the drawbacks if you are actually thinking of using this example code above.
http://www.michikono.com/2007/02/12/who-else-wants-to-hide-their-wordpress-admin-folder/
Hi AITpro. I understand your point about the futility of trying to “hide” the wp-login especially when it comes to bots. And I certainly don’t want to butt in but would like to run something by you, if you will please bear with me.
When you think about home security it is really pointless to try to keep it safer from intrusion by closing and locking the windows. And yet, most of us do it. Realistically, however, if an intruder wants in he will simply knock the window out and come on in. Closing and locking the windows simply helps keep the “honest” people out by making things a bit more difficult than it would be if it were a total cakewalk with the windows wide open.
Obviously the comparison falls down when you use it in the case of merging BWPS and BPS because BulletProof Security is no where near like having the windows open as it thoroughly locks down a blog on its own. And yet, rightly or wrongly, I think bloggers who use Better WP Security have an added sense of security by using the “re-name the database” and “hide the backend” features of this plugin. Even if it only deters the less devious among us.
And here is where I need to be very careful not to be seen as if I’m butting into your business. I think you and your BPS plugin are doing an amazing job. And yet one could imagine how nice it would be if it were possible for you to eliminate all of these support questions about merging BWPS and BPS and at the same time help the users of your plugin to have all of the features they are now trying to hobble together by using two plugins.
From a coding standpoint would it be terribly difficult to add the “re-name the database” and “hide the backend” features to BulletProof Security? I’m just posing the question as someone who hasn’t a clue about coding so I hope you will take the question in stride. If the task weren’t too difficult you would end up with a plugin that is even more widely beloved than it already is and your new support response to questions about merging Better WP Security and BulletProof Security may be something like this…
“You don’t need to. BullettProof Security takes care of everything you are looking for on its own”
Plugin Author
AITpro
(@aitpro)
I hate to say it, but i also hate just going along with bad info – it has a way of spreading. 😉
What is missing from this statement you made is one word – “false” as in false sense of security.
I think bloggers who use Better WP Security have an added sense of security by using the “re-name the database” and “hide the backend” features of this plugin.
ok now there are of course all sorts of hackers out in the wild. Some know very little and some know stuff that would scare you silly. LOL
The thing that all hackers have in common is they use a set of common hacker tools – there are lots of them around the internet and what they all have in common is this. Hackers plugin in parameters and have a bot do the leg work. it is all automated for a reason. Imagine how time consuming and difficult hacking would be to do if the hacker tried to do this in a human or physical way and not use a bot. For that reason all hacking programs are made with built-in bots. the whole idea is that it is a volume game when doing hacker recon – a bot may need to sniff out 100,000 websites before it finds an easy target. hacker tools/programs are set and forget. set the parameters and then check later to see what websites were successfully hacked. the majority of hacker recon and payload delivery systems pretty much do everything so maybe the hacker will get involved personally, but a lot of the time the human hacker never even sees or visits the websites they have hacked.
I hope you do not take this the wrong way. i am being truthful and blunt here. 😉
it would not be difficult at all to add all of the features in wp better security to BPS. the reason i won’t do that is because they are useless and will only make people have a false sense of security and believe that these things are actually helping them. one of these days i will post a live video of how quickly these “hiding” things can be beaten because i too get tired of explaining this old issue. The bottom line is there is only one formula that works.
X does bad action Y and Z is the result. hiding does not come into play because you are basing the security on the actual action. so things like where the action is coming from do not matter – the action itself is blocked/forbidden. hiding does not work because with a simple probe a recon bot can get the information it needs to proceed to execute its code and deliver its payload if an exploitable vulnerability exists. if an exploitable vulnerability does not exist the bot moves on to an easier target automatically.
And i do not exactly know when and where the term “obscurity” got so far off track, but security through obscurity does not mean “try to hide things”.
it means make things very hard to guess. the db table prefix renaming thing actually does accomplish this somewhat as a deterrent, but here is the real meaning of obscurity.
if you create a username like: Xde3#7ghZ^
and a password equally as obscure and do not display your username anywhere, then the chances of brute force cracking program cracking a login are almost nill.
Thanks for the information and education. I know this is taking a lot of your time.
It sounds like the best thing to do, obviously, is set up difficult user’s names and passwords. And you have been too gracious to come right out and say it but it sounds like one should forget using any security plugin except BulletProof Security.
It sounds like a good, and much easier, plan to me.
Plugin Author
AITpro
(@aitpro)
Well actually i think Wordfence is going to be an awesome security plugin, but they have been battling one issue, which is that the plugin is using up too much memory and can cause site slowness in some cases. Once they get that issue worked out then i think that it will be a must have security plugin. And i think there are some good legitimate security methods used in wp better security, but yeah all the hiding stuff needs to go. it just causes website problems.
