Comments on: How to secure WordPress admin directory on IIS 7.0 http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/ IIS, FastCGI, PHP and other interesting stuff Fri, 12 Mar 2010 03:11:05 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: John http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-1523 John Wed, 09 Dec 2009 16:09:49 +0000 http://ruslany.net/?p=199#comment-1523 Ruslany, You were right, I did not have URL authorization enabled, and I got confused because I was using VS development server alongside IIS7 (http://www.4guysfromrolla.com/articles/122408-1.aspx cleared this up for me) and the behavior was different for each. So, I am beginning to understand now, but I have a follow up question. Does plugging the asp.net modules into the pipeline (i.e. removing and then adding FormsAuthenticationModule) also enable authentication on static content through the system.web authentication rule? If so, what is the advantage to using the system.webServer namespace? Thanks again. John Ruslany,
You were right, I did not have URL authorization enabled, and I got confused because I was using VS development server alongside IIS7 (http://www.4guysfromrolla.com/articles/122408-1.aspx cleared this up for me) and the behavior was different for each. So, I am beginning to understand now, but I have a follow up question. Does plugging the asp.net modules into the pipeline (i.e. removing and then adding FormsAuthenticationModule) also enable authentication on static content through the system.web authentication rule? If so, what is the advantage to using the system.webServer namespace? Thanks again.
John

]]> By: ruslany http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-1521 ruslany Tue, 08 Dec 2009 21:14:52 +0000 http://ruslany.net/?p=199#comment-1521 @ John, a possible reason why this does not work is if you do not have IIS URL Authorization module installed and enabled. Open the Server Manager, go to Roles node and then find the Role Services list. In that list check if URL Authorization is installed. @ John, a possible reason why this does not work is if you do not have IIS URL Authorization module installed and enabled. Open the Server Manager, go to Roles node and then find the Role Services list. In that list check if URL Authorization is installed.

]]> By: John http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-1519 John Tue, 08 Dec 2009 17:43:14 +0000 http://ruslany.net/?p=199#comment-1519 Hello, I am confused about the location element. For some reason, the following does not work for me (I am using this technique to secure a PhpMyAdmin site): <location path="3_2_4"> <system.webServer> <security> <authorization> <add accessType="Deny" users="?" /> </authorization> </security> </system.webServer> </location> But the following does work: <location path="3_2_4"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> I thought that in integrated pipeline mode, that the system.webServer namespace was the one that was in charge of securing all files (php,jpg etc), but in my case only system.web works. Can you clarify please? Sorry for the double post, I forgot to encode the first one. Much appreciated. John Hello,
I am confused about the location element. For some reason, the following does not work for me (I am using this technique to secure a PhpMyAdmin site):
<location path="3_2_4">
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?" />
</authorization>
</security>
</system.webServer>
</location>

But the following does work:
<location path="3_2_4">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

I thought that in integrated pipeline mode, that the system.webServer namespace was the one that was in charge of securing all files (php,jpg etc), but in my case only system.web works. Can you clarify please? Sorry for the double post, I forgot to encode the first one. Much appreciated.
John

]]> By: avn http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-1501 avn Mon, 30 Nov 2009 20:47:09 +0000 http://ruslany.net/?p=199#comment-1501 update this behavior is only in Firefox and not in IE (this is why on the server is working fine as I used the IE) it seems it is a bug/feature:) in how the flash in browser treat cookies needed by IIS. Anyway the issue still remain... update
this behavior is only in Firefox and not in IE (this is why on the server is working fine as I used the IE) it seems it is a bug/feature:) in how the flash in browser treat cookies needed by IIS.
Anyway the issue still remain…

]]> By: avn http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-1500 avn Mon, 30 Nov 2009 20:02:04 +0000 http://ruslany.net/?p=199#comment-1500 Hi, nice and useful. Now I followed your instructions and get a secure wp-admin. I have a issue. If I tried to upload a file through new-media.php in flash mode it asking me a login in a window after showing progress on file upload. when giving credentials give me the famous webconfig uncustomized error. In normal mode is working fine.also direct from server is working fine in both modes. I suppose that this is due to flash uploader not sending the cookie to server. Any ideea? Hi,
nice and useful.
Now I followed your instructions and get a secure wp-admin. I have a issue. If I tried to upload a file through new-media.php in flash mode it asking me a login in a window after showing progress on file upload. when giving credentials give me the famous webconfig uncustomized error. In normal mode is working fine.also direct from server is working fine in both modes.
I suppose that this is due to flash uploader not sending the cookie to server.
Any ideea?

]]> By: ruslany http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-1385 ruslany Sat, 17 Oct 2009 23:07:34 +0000 http://ruslany.net/?p=199#comment-1385 @Chris: Thanks for your comment - these are very valid questions/issues. Let me try to answer them one by one: 1. The reason I choose not to use built-in IIS basic authentication is because it relies on the built-in Windows accounts, which makes this option not feasible in a shared hosting environment. Plus with basic authentication the base64 encoded password is sent on every request, while with FBA the password is sent on a login request only, while all the other requests use session cookie. So basic auth may be actually less secure because the password is exposed on the wire for longer time. 2. You could encrypt the xml file with the password if you want to, but since it is located in App_Data folder it is already protected by IIS Request Filtering module and hence will not be exposed to the site visitors. 3. Using SSL is the best option of course, but again it is not always possible in a shared hosting environment. If you used SSL then it would not even be necessary to use this extra protection with FBA. 4. Yes, it is very recommended to use different user name and password for the WordPress and FBA. In fact that's what I use on my site. I will update the article to make it clear. Overall, this kind of protection is not super strong, but it is better than nothing, especially if somebody uses shared hosting environment for their WordPress blog. @Chris: Thanks for your comment – these are very valid questions/issues. Let me try to answer them one by one:

1. The reason I choose not to use built-in IIS basic authentication is because it relies on the built-in Windows accounts, which makes this option not feasible in a shared hosting environment. Plus with basic authentication the base64 encoded password is sent on every request, while with FBA the password is sent on a login request only, while all the other requests use session cookie. So basic auth may be actually less secure because the password is exposed on the wire for longer time.
2. You could encrypt the xml file with the password if you want to, but since it is located in App_Data folder it is already protected by IIS Request Filtering module and hence will not be exposed to the site visitors.
3. Using SSL is the best option of course, but again it is not always possible in a shared hosting environment. If you used SSL then it would not even be necessary to use this extra protection with FBA.
4. Yes, it is very recommended to use different user name and password for the WordPress and FBA. In fact that’s what I use on my site. I will update the article to make it clear.

Overall, this kind of protection is not super strong, but it is better than nothing, especially if somebody uses shared hosting environment for their WordPress blog.

]]> By: Chris http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-1384 Chris Sat, 17 Oct 2009 22:07:18 +0000 http://ruslany.net/?p=199#comment-1384 Interesting idea but I have some issues/questions: Why wouldn't you use the built-in Basic Authentication for this? Using the IIS GUI you can configure the wp-admin folder for basic authentication and leverage the built in Windows accounts instead of keeping them in a file on your computer. You don't mention anything about encrypting the user xml file. This should be done to prevent accidential exposure from a number of possibilities. Also, you don't mention anything about using SSL, having not one, but two forms based authentication interchanges over http instead of https. In IIS 7.0/7.5 you can use the built-in URL Rewriter to switch all calls to the wp-admin and wp-login path over to https... You also don't mention anything about using different account/passwords for Wordpress and for your FBA... I would guess that many users would simply use the same credentials for both, making it pointless to have multiple credential challenges. Over all it's an interesting idea but I think you might want to spend some more time polishing off the recommendation. Interesting idea but I have some issues/questions:

Why wouldn’t you use the built-in Basic Authentication for this? Using the IIS GUI you can configure the wp-admin folder for basic authentication and leverage the built in Windows accounts instead of keeping them in a file on your computer.

You don’t mention anything about encrypting the user xml file. This should be done to prevent accidential exposure from a number of possibilities.

Also, you don’t mention anything about using SSL, having not one, but two forms based authentication interchanges over http instead of https. In IIS 7.0/7.5 you can use the built-in URL Rewriter to switch all calls to the wp-admin and wp-login path over to https…

You also don’t mention anything about using different account/passwords for Wordpress and for your FBA… I would guess that many users would simply use the same credentials for both, making it pointless to have multiple credential challenges.

Over all it’s an interesting idea but I think you might want to spend some more time polishing off the recommendation.

]]> By: DoYouKnow.IN http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-1284 DoYouKnow.IN Tue, 15 Sep 2009 10:51:32 +0000 http://ruslany.net/?p=199#comment-1284 How to secure non-Admin Directory? How to secure non-Admin Directory?

]]> By: ruslany http://ruslany.net/2009/02/how-to-secure-wordpress-admin-directory-on-iis-70/comment-page-1/#comment-306 ruslany Thu, 19 Feb 2009 03:17:55 +0000 http://ruslany.net/?p=199#comment-306 Update: if you use URL rewriter to enable pretty permalinks in WordPress, then it may cause some javascript errors on login.aspx page. To prevent those errors, modify the rewrite rule for WordPress permalinks as below: <code><rule name="Wordpress" patternSyntax="Wildcard"> <match url="*" /> <conditions> <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" /> <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" /> <add input="{URL}" negate="true" pattern="*.axd" /> </conditions> <action type="Rewrite" url="index.php" /> </rule></code> Update: if you use URL rewriter to enable pretty permalinks in WordPress, then it may cause some javascript errors on login.aspx page. To prevent those errors, modify the rewrite rule for WordPress permalinks as below:

<rule name="Wordpress" patternSyntax="Wildcard">
<match url="*" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
<add input="{URL}" negate="true" pattern="*.axd" />
</conditions>
<action type="Rewrite" url="index.php" />
</rule>

]]>