Beep boop - this is a robot. A new show has been posted to TWiT…
What are your thoughts about today’s show? We’d love to hear from you!
During Steve’s segment about the WordPress Easy SMTP plugin vulnerability, he discussed killing the wp-admin login page using .htaccess but didn’t go into detail about how to. Here is a link for instructions. One solution to test is, disable your mobile phone WiFi to enable cell data which makes your public IP different, then launch “your-website”.com/wp-admin and confirm you get the 403 forbidden error.
2 Likes
And as of today 50 bitcoins = $1,162,400
Yes, the intricacies of .htaccess isn’t something you can really go into in an episode of SN, that would be a whole show in itself.
As many companies and bloggers have recently found out! There are a set of debugging commands in WordPress and Apache that open up special sub-folders for debug information, you can restrict them to a certain set of IP addresses, which makes sense. But .htaccess is hierarchical and even if you restrict access on those folders, if you have allowed access above, the restriction will be ignored!
I’ll see if I can find the article and post a link.
Edit: Not finding it. When I search, the first few hundred results are ads for hardening Apache and how-tos for hardening Apache. I’ll keep looking for the article.
1 Like