Penetration testing – It is recommended that access to this portal is prevented via the Internet

We have done some penetration testing on a wordpress site and one of the issues that has been returned is:

An administration portal is accessible via the Internet

Read More
  • It is recommended that access to this portal is prevented via the Internet

As the site is a web based cms is this even possible to fix? This is not my area of expertise and i’m struggling to find a way to fix this.

Can anyone help?

Thanks

Related posts

Leave a Reply

2 comments

  1. It is recommended that access to this portal is prevented via the
    Internet

    That’s too vague of a point, and that’s the fault of the people doing the pentest and the pentest software.

    But start with http://codex.wordpress.org/Brute_Force_Attacks and http://codex.wordpress.org/Hardening_WordPress

    In order to restrict access to the admin area by whitelisting IPs 12.345.67.891 and 23.456.78.99 for admin access, in the .htaccess in wp-admin add:

    Options All -Indexes
    
    order deny,allow
    deny from all
    allow from 12.345.67.891
    allow from 23.456.78.99
    deny from all
    

    In the root .htaccess

    <Files wp-login.php>
    order deny,allow
    deny from all
    allow from 12.345.67.891
    allow from 23.456.78.99
    deny from all
    </Files>
    

    If you calculate the range, you can also use, i.e. 12.345.67.0/24

    You can also obscure the fact that you are using WordPress (not an ideal solution), be sure your hosting situation is secure, and try other best practice suggestions at those links to the Codex.

    And see https://wordpress.stackexchange.com/questions/tagged/security

  2. As far as I know , you can not restrict in way which you want. But you can do like allow admin access to specific user by IP address. Like if you want that no one should access your wp admin other than you then you can achieve this by specified your ip in .htaccess.