Here’s a little nugget which may help you if, you’ve tightened up the security on your blog only to find somethings (in this case, the flash uploader) don’t work.

So, you’ve been careful, you’ve downloaded the security scan plugin from Semper Fi Web Design and you’ve followed all the advice it provides… your blog is nice and secure. Although you may not now be able to login as administrator, but thats a different problem which took out one of the blogs I look after and, from the looks of the posts I’ve read, several others… anyhow, thats a story for someone else to tell… unless you’re desperate and you can’t login to your blog, in which case, do a search for force-upgrade or force-update, as that fixed it for me and allowed me to login as admin (although some other users have reported that whilst that worked, it didn’t restore their admin rights… there are posts around about that too). Anyhow, I digress…

The advice from Semper Fi about securing your blog includes securing the wp-admin folder so that authentication is required to execute the PHP scripts it contains. Great advice, unfortunately, what they don’t do is give a good example of what to drop in your .htaccess file to protect your wp-admin directory. So, if like me, you have half a clue (we’ll come onto the missing half shortly), you’ll run a search and find either the information you need to secure it or an example. You’ll implement the change and everything will be sweet… or so you think.

Time will tick by and one day you’ll want to post an update which includes some media… you’ll try the flash uploader which used to work, and it will suddenly ask you for authentication… you’ll suddenly remember that you’ve updated WordPress (a couple of times), and what else have you changed???? I can’t remember… what could be causing it… ARGH!!!!

Then you’ll remember the authentication fix you added to your .htaccess file, you’ll pop the username and password in there, but still nothing… no matter what you do, it won’t work. And that brings me to that missing half a clue.

The flash updater struts it’s funky stuff by calling a script… that script is protected by our .htaccess mod that prevents unauthenticated users from accessing it, and for some reason, the authentication doesn’t appear to work. The answer is to modify the .htaccess file to include a bypass for the script used by the uploader.

So, to get the flash uploader working again, drop this on the end of your .htaccess file that protectes the wp-admin directory.


<Files async-upload.php>
Order Allow,Deny
Allow from all
</Files>


Once I did this, and regained my missing half clue, my uploader was fine again. Lets just pray there are no security holes in that script.

And for the record, let me be 100% clear, I’m not slagging off the security scan plugin. Overall, it’s great, but it does suggest you tighten up the security on the wp-admin directory but then fails to provide a good example of how it’s done (or at least, at the time of writing I can’t find a good example they provide) and I’ve had it knacker one blog and prevent the admin from logging in when it did the database table rename (admittedly, the config file wasn’t writeable but that not being writeable and the administrator losing their admin rights… I fail to see how the two are linked). That did cause me a major headache, but overall, the plugin does a great job, but some aspects of it are a little flakey, but it is still under development, so hopefully they’ll get all the little teething troubles sorted. Then it will be a fantastic plugin.

And just in case you are looking for a complete example of securing the wp-admin directory…. here’s my .htaccess file (suitably tweaked to keep somethings secret).


<Files ~ "\.(php)$">
AuthUserFile
AuthType Basic
AuthName "Athena's Pad - Admin Area"
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
</Files>
<Files async-upload.php>
Order Allow,Deny
Allow from all
</Files>


So, to use this, create .htaccess in the wp-admin directory, drop this into it. Provide the full path to your the password file (see the Apache documentation about htaccess and creating password files for information about creating them) and that should be it… for obvious reason, your password file should not be accessible via the webserver.

Tags: WordPress

This entry was posted on Friday, July 17th, 2009 at 10:46 am and is filed under WordPress. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.