I’ve been reading and learning about web application security lately. As a programmer with experience in web redevelopment, I thought web application security would be the perfect place for me to get my security fix. I’m finding it very interesting. I decided that a good place to start learning was with my blog application; how can I better lock down this blog. My blog uses the very popular open-source blogging solution called Wordpress. Recently I found a posting on Matt Cutt’s blog on some things you can do to secure your Wordpress blog. Let’s discuss one his simple recommendations I implemented.The first thing I did was create a .hatches file in my “wp-admin” directory.

AuthName “Access Control”
AuthType Basic
order deny,allow deny from all
# whitelist home IP address
allow from 71.172.62.228

The .htaccess files are also called “distributed configuration files” which allow you to restrict access to a particular resource in a web application. If you have access to the main configuration files (usually httd.conf) on the server it is better to make theseconfiguration changes there, since modifying the .htaccess file may cause your application to take a performance hit. My blog is hosted in a shared environment and therefore, I don’t have access to the main configuration file. My .htaccess file essentially blocks everyone (all IP’s) from accessing the www.itsecpackets.com/blog/wp-admin directory unless the TCP connection is made from the IP specified, which is my home IP address. When I access the admin page as the admin, I will still need to enter my username/password. This solution gives me another layer of security. Now keep in mind, with security comes a loss of convenience. I will not be able to logon to my Wordpress admin panel from work (unless I add the IP address). The same applies if I’m at a friend’s house. There are always trade-offs when it comes to security – always.