Wp-admin or the Wordpress admin dashboard is the control panel for your entire WordPress site. It’s where you can create, update, and manage your content, add functionalities with plugins, change the style and font, and do much more.
According to a report by W3Techs, WordPress powers 43.2% of websites on the internet in 2022. In terms of popularity, 65.2% of all websites using a content management system (CMS) use WordPress.
| Serial no. | Content management system (CMS) | Usage | Change in percentage since May 1, 2022 | Market share | Change in percentage since May 1, 2022 |
|---|---|---|---|---|---|
| 1 | WordPress | 43% | 64.2% | ||
| 2 | Shopify | 4.2% | - 0.1% | 6.3% | - 0.2% |
| 3 | Wix | 2.3% | 3.4% | ||
| 4 | Squarespace | 2.0% | 3.0% | ||
| 5 | Joomia | 1.6% | - 0.1% | 2.5% |
Although WordPress is the most popular CMS on the internet, it is also the most hacked. In 2020 itself, Wordfence reported more than 90 billion malicious login attempts from over 57 million unique internet protocol (IP) addresses.
The common method of protecting wp-admin
Apart from using secured passwords, enabling two-factor authentication and custom login URLs, another common way is by restricting access with IP. Usually, a list of allowed IP addresses will be whitelisted on the server.
The problem with this approach is that it won’t scale for larger teams, and if we have multiple blogs managing this will become more difficult.
How we solved this problem
At Freshworks, we had more than 10 blog instances running, in which 8 blog instances were running under freshworks.com with deeply nested URLs, and more than 100+ users managing the content. So whitelisting and managing IPs in the application server was more difficult.
So instead of whitelisting on the server, we blocked all the requests to /wp-admin in the load balancer itself so no one can reach the application servers directly.
Now, we needed to allow the marketing team access to wp-admin. One way to do that is directly accessing the application server with host mapping, but for non-tech people like the marketing team, content writers, and SEO team, it was difficult to turn on and turn off host mapping to access website cms and blog CMS.
To overcome this, we created a backdoor URL that can be accessed only through our VPN, in which we allowed access to /wp-admin, so for every blog instance we configured the following two domains:
- Public URL: This is for public users; /wp-admin in the public URL is completely blocked for all users.
Sample URL www.freshworks.com/blog/ - Backdoor URL: This URL is only for the internal team and can be accessed only through our VPN.
Sample URL content-admin.freshworks.com
| Layer name | Inbound requests | Outbound requests | Description |
|---|---|---|---|
| Caching layer | 1. Accepts request to port 80 and 433 from internet. | All | Once caching layer receives a request, it reverse-proxies the request to the application layer. All Admin URLs will be blocked in this layer to prevent accessing wp-admin outside the office network. |
| Application layer | 1. Accepts request to port 80 and 443 request from VPN 2. Accepts request to port 80 from caching layer. | All | Once a request is received for port 80, NGINX will reverse-proxy that to php-fpm process that runs in port 9000. |
| Database layer | 1. Accepts request to port 3306 from application layer | All | Accepts request only from Application servers |
How we served the same blog for two domains
WordPress URLs are absolute URLs. While installing WordPress siteurl and home values will be saved in the wp_options table with the given domain name.
| option_id | option_name | option_value | autoload |
|---|---|---|---|
| 1 | siteurl | http: //localhost/blog | Yes |
| 2 | home | http: //localhost/blog | Yes |
| 3 | blogname | Test blog | Yes |
| 4 | blogdescription | Just another WordPress site | Yes |
| 5 | users_can_register | 0 | Yes |
| 6 | admin_email | [email protected] | Yes |
For every request, the home url is prepended. So if multiple domains serve the same WordPress instance, only the homepage will be shown for the respective domain. When the user navigates to any page it will be redirected to the home url value stored in the database (DB).
To make it work for multiple domains, we tweaked the wp-config.php file to serve siteurl and home url as a current host instead of the static one saved in the wp_options table.
In the above snippet we are defining WP_HOME and WP_SITEURL as constants and assigning them the current host address as value, so the siteurl and home value will be dynamic and relative to the current domain. Once we add the above snippet in wp-config.php, this single wordpress instance can be accessed with N number of domains.
Note: Plugins like YARPP work properly with this setup. However, any plugin or implementation that saves the absolute URL in the database won’t work well in this setup.
The post How we secured our wp-admin from unauthorized users appeared first on Thoughts on Refreshing Business Software.
This post first appeared on Customer Support Software Blogs | Freshdesk, please read the originial post: here
