pabloespejo
Forum Replies Created
-
Interesting reading: http://danielmiessler.com/study/security_and_obscurity/
Does not work and is 100% not accepted by any reputable IT security professional.
Can you explain to me why it does not work? It is another layer of security. We are not talking here about relying all protection in hidding a folder, but to add it to avoid bandwidth waste and extra security.
If they don’t know the folder, they need to find it. If they find it (it won’t be easy if you put a good long name), you can change it. Eventually, make sense that they will go to an easier target.
Ok, then, your opinion is that all security you need in Internet is a good password. I already know that. Thanks.
If you have a 404 page that weights 1KB then every hit is going to waste 1KB.
If you have a regular wordpress login page, like mine, it will load jquery, css, images etc… 250kb approx. Then with the wrong login, it will load again. Another 250kb (maybe they use cache, maybe not). So it’s 500 times more bandwitdh.
Now lets imagine 1000 attempts per day: 500MB approx. 182 GB per year and for nothing. Not bad…
Say you have a house. You have a front door, right? Moving wp-admin is like moving the front door. It doesn’t necessarily give them access to the safe’s content, but it lets them in the house.
You don’t hide your door, you have a good lock (password).
Well, for me, wordpress is the house. Then, i have a safe inside. But i don’t want to show publicly that i have a safe.
But ok, if all you think the best option is to show the access to the control of your website, then maybe is just me that im “paranoid”.
Who assures you this wont happen again? And with the same reason, if you have a very strong password of 60 chars with lower, upper, symbols etc… why to change “admin” name?
Lets rely all our security in one password.
And lets waste bandwitdh.
I am not here to argue the same a million times. I was just trying to point, that, with a different folder name, everything is harder for crackers and spammers.
And for sure a spammer trying to log waste more bandwidth than a spammer receiving a 404. Imagine when you are hitted by spammers hundreds of times every day. Its nonsense.
Of course not, but if they are there, i prefer to have my safe well hidden inside my house, rather than having the safe in the garden, or in the door, where anyone can access without problem.
See it this way.
If you have a safe (the admin directory) in your house. Would you like anyone that you have that and besides, where is located? Even if you have a strong password to open it?
May be new vulnerabilities in the future, so relying your website security just with a strong password is not the best option imho.
Ipstenu, sure there will be problems with some users, but again, if a user is not capable of memorizing an url like mydomain.com/newadmin must be banned from using computers or writing entries 🙂
Hello Jam.
You could try changing all the references from /wp-admin/ in the code
I already know that option of changing references in the code, but i didn’t do it just because the same you are saying: next update comes and i will need to do it again.
It’s the same with /wp-admin/ and wp-login.php. If you use a good password then those attempts are just background noise and can be ignored.
Again, i say it is not. If i change 1 letter in the name of wp-admin folder, the login attempts dissapear. NEVER can be the same bandwidth a call to a inexistent file or folder than someone going to your login page, trying to log, and receiving the data with the message “wrong password”. If it’s 1 time per day its ok, but if you receive 2500 unsuccesful logins per day, you really tell me it is not important?
It is a waste of resources.Option 1: the spammer calls admin: receives a 404, goes away
Option 2 (current): the spammer goes to admin login page. The page loads. Tries one login/pass. Page reload again with the message that password don’t match. Spammer tries another name / pass several times.there would probably have to first be an update that sets the constant to /wp-admin/ to give plugin maintainers time to update their code
That’s a good idea. But really hard-coding directories instead of having them in a variable is not the best. You always need to use a variable if you are going to use the same string hundreds of times. For wordpress code or for plugins.
Thanks for your answer Alice, i hope they think about adding this option to rename the admin.
Hi AliceWonderFull, admin name is not “admin”. Anyways some of the attempts use my new name, others dont. I assume they check the names in the posts and use them also besides “admin”.
I am not worried about success, as i have other admin name, captcha, and probably i will put htaccess protection.
But the easiest would be WordPress to allow changing the admin folder. If 99% of the blogs change their admin folder name, the bots would stop wasting resources trying to access wordpress sites cause they won’t know the name of the directory they must access.
Thanks for the tips.
But how do they detect im using wordpress? I guess the bots are not trying all the ip’s in the world?
Of course, bandwidth, and security reasons. If you have the admin url address the same as everyone else in the world using wordpress, that is not good for security.
So, having multiple attempts of login to my admin every hour is no problem?
What i am supposed to talk to my hosting? How can they stop that if there are thousands of different ips?
Thanks.