{"id":165,"date":"2019-11-20T12:06:00","date_gmt":"2019-11-20T17:06:00","guid":{"rendered":"http:\/\/127.0.0.1:8080\/?p=165"},"modified":"2024-01-13T13:56:16","modified_gmt":"2024-01-13T18:56:16","slug":"no-unauthorized-access-to-wordpress-admin","status":"publish","type":"post","link":"http:\/\/10.42.0.68:8080\/blog\/no-unauthorized-access-to-wordpress-admin","title":{"rendered":"No unauthorized access to WordPress Admin"},"content":{"rendered":"\n<p>To safeguard your WordPress site and prevent unauthorized access to your admin panel, you can take the following steps:<\/p>\n\n\n\n<!--more-->\n\n\n\n<h2 class=\"wp-block-heading\">Keep WordPress core up-to-date<\/h2>\n\n\n\n<p>By default, WordPress only updates minor versions automatically. To enable automatic updates for major versions, add the following line to your wp-config.php file:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>define('WP_AUTO_UPDATE_CORE', true);<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Keep plugins up-to-date<\/h2>\n\n\n\n<p>It&#8217;s very weird because you need to modify your template to activate it \u2026<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>WTF\u2026 template not core?<\/p>\n\n\n\n<p>Core developers = asshole! &#8211; <a href=\"\/\">sycured<\/a><\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Create child theme<\/h3>\n\n\n\n<p>Never, never, never modify the official theme directly, you need to use a child theme.<\/p>\n\n\n\n<p>I let you read the <a href=\"https:\/\/developer.wordpress.org\/themes\/advanced-topics\/child-themes\/\">official documentation<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Activate automatic update<\/h3>\n\n\n\n<p>You need to add two lines in <strong>functions.php<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>add_filter( 'auto_update_plugin', '__return_true' );\nadd_filter( 'auto_update_theme', '__return_true' );<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">U2F and OTP for all users<\/h2>\n\n\n\n<p>2FA rules the world and we use it right now to let hackers outside of wp-admin.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Plugin<\/h3>\n\n\n\n<p>It&#8217;s an open-source plugin: <a href=\"https:\/\/wordpress.org\/plugins\/two-factor\/\">Two-Factor<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Configuration<\/h4>\n\n\n\n<p>All configuration is inside each user&#8217;s account:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"384\" src=\"http:\/\/127.0.0.1:8080\/wp-content\/uploads\/2024\/01\/wordpress_u2f_account_settings.png\" alt=\"\" class=\"wp-image-110\" srcset=\"http:\/\/10.42.0.68:8080\/wp-content\/uploads\/2024\/01\/wordpress_u2f_account_settings.png 624w, http:\/\/10.42.0.68:8080\/wp-content\/uploads\/2024\/01\/wordpress_u2f_account_settings-300x185.png 300w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<p>I recommend you use the same settings to have the best security\u2026<br>After taking this screenshot, I added my 2 other U2F keys.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SSO when you can<\/h2>\n\n\n\n<p>SSO can be used to unify the login method but keep in mind that U2F &amp; OTP must be activated at the SSO provider level.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Plugin<\/h3>\n\n\n\n<p>It&#8217;s another open-source plugin: <a href=\"https:\/\/wordpress.org\/plugins\/daggerhart-openid-connect-generic\/\">OpenID Connect Generic Client<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Configuration<\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"422\" src=\"http:\/\/127.0.0.1:8080\/wp-content\/uploads\/2024\/01\/wp_sso_conf1.png\" alt=\"\" class=\"wp-image-112\" srcset=\"http:\/\/10.42.0.68:8080\/wp-content\/uploads\/2024\/01\/wp_sso_conf1.png 624w, http:\/\/10.42.0.68:8080\/wp-content\/uploads\/2024\/01\/wp_sso_conf1-300x203.png 300w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"408\" src=\"http:\/\/127.0.0.1:8080\/wp-content\/uploads\/2024\/01\/wp_sso_conf2.png\" alt=\"\" class=\"wp-image-113\" srcset=\"http:\/\/10.42.0.68:8080\/wp-content\/uploads\/2024\/01\/wp_sso_conf2.png 624w, http:\/\/10.42.0.68:8080\/wp-content\/uploads\/2024\/01\/wp_sso_conf2-300x196.png 300w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"229\" src=\"http:\/\/127.0.0.1:8080\/wp-content\/uploads\/2024\/01\/wp_sso_conf3.png\" alt=\"\" class=\"wp-image-114\" srcset=\"http:\/\/10.42.0.68:8080\/wp-content\/uploads\/2024\/01\/wp_sso_conf3.png 624w, http:\/\/10.42.0.68:8080\/wp-content\/uploads\/2024\/01\/wp_sso_conf3-300x110.png 300w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Error in log<\/h4>\n\n\n\n<p>This is an example of failure to authenticate to the WordPress, no authorized access<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"380\" src=\"http:\/\/127.0.0.1:8080\/wp-content\/uploads\/2024\/01\/wp_sso_missing_state.png\" alt=\"\" class=\"wp-image-115\" srcset=\"http:\/\/10.42.0.68:8080\/wp-content\/uploads\/2024\/01\/wp_sso_missing_state.png 624w, http:\/\/10.42.0.68:8080\/wp-content\/uploads\/2024\/01\/wp_sso_missing_state-300x183.png 300w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"368\" src=\"http:\/\/127.0.0.1:8080\/wp-content\/uploads\/2024\/01\/wp_sso_no_code.png\" alt=\"\" class=\"wp-image-116\" srcset=\"http:\/\/10.42.0.68:8080\/wp-content\/uploads\/2024\/01\/wp_sso_no_code.png 624w, http:\/\/10.42.0.68:8080\/wp-content\/uploads\/2024\/01\/wp_sso_no_code-300x177.png 300w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Caution<\/h3>\n\n\n\n<p>In this configuration, you need to create users in your WordPress using the same email address that connects to SSO: no automatic registration\/synchronization.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>You have a better security level without high computing costs.<br>I prefer the SSO way due to having the possibility to force OTP\/U2F.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>To safeguard your WordPress site and prevent unauthorized access to your admin panel, you can take the following steps:<\/p>\n","protected":false},"author":1,"featured_media":111,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"saved_in_kubio":false,"footnotes":""},"categories":[17],"tags":[18,19,20,21],"_links":{"self":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/165"}],"collection":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/comments?post=165"}],"version-history":[{"count":1,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/165\/revisions"}],"predecessor-version":[{"id":166,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/165\/revisions\/166"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media\/111"}],"wp:attachment":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media?parent=165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/categories?post=165"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/tags?post=165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}