Author Archives: TIm Auld

How do hackers workout the WordPress Admin user account?

I noticed recently after installing the Limit Login Attempt plugin (which is a great plugin) that hackers were continually trying to break the WordPress Admin account and they all seemed to know what the WordPress Admin username was, which bugged me.  I wasn’t just using “Admin”, which we all know is the default, I was using a custom Admin username which I thought was making it more secure.

What they were doing was executing the following:

https://mydomain.com/?author=1

which returns the Admin username in the URL.

The best way to stop this is to add the following in the .htaccess file in your website root directory, underneath what is generated by WordPress.

# Stop Author=1 hack
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

Can’t Update WordPress or Plugins

I have recently had problems updating WordPress and Plugins on a number of my sites, getting caught up having to setup ftp accounts to allow the updates.  In search online I found a very simple solution.

In the wp-config.php file add the following line”

define('FS_METHOD', 'direct');

That fixed the problem for me.

 

 

Disable WordPress Auto Updates

The new auto update feature that arrived in one of the recent releases of WordPress may seem like a good thing on the surface, but can cause terrible problems.  I recently had one of my websites completely destroyed because of the auto update that was applied.  Ask anyone who has been around IT for a while and they will tell you, the first thing that you should do before applying a software update is take a full backup of your files and your database before applying the update.  When you are using auto update it just does it for you and you don’t have the opportunity to take the backup first.  I would always recommend applying software updates to a test environment first, to make sure that it is not going to break anything, before applying it to your main production website.

Here is how you turn the auto updates off.  Go into your wp-config.php file in your website route directory and add the following lines down towards the bottom of the file, just before it says “That’s All. Stop Editing”:

/** Disable Auto Updates of the WordPress software */
define( 'AUTOMATIC_UPDATER_DISABLED', true );

WordPress Permalinks causing 403 Forbidden security problem when accessing all pages

I recently built this site on a little DigitalOcean.com “Droplet” server and went through the process of manually building a WordPress environment from scratch.  It was the first time that I have ever installed WordPress this way and on the whole it went very well.  Digital Ocean has published a number of excellent instructional “how-to” documents and the one I followed was “How to install WordPress on Ubuntu 14.04“.  The process went very smoothly right up to the point where I changed the Permalink setting so that the URL was build using the Page Name rather that the page number.  As soon as I did this the whole system locked up and I kept getting the “403 Forbidden” message no matter what I tried to do.

The problem came down to be the .htaccess file (which is a hidden file found in the root directory of the website) that is generated by WordPress when you make this Permalink change.  The generated .htaccess file is :

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

The solution came down to adding an extra line of code in the .htaccess file so that the final file looked like:

<IfModule mod_rewrite.c>
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Once I added the “Options +FollowSymlinks” line the 403 Forbidden problem went away.

Copyright © 2024 WordpressNotes.org.