WordPress: Prevent access to wp-login.php when the wp-admin directory has already been protected

The problem: You’ve used .htaccess / .htpasswd to restrict access to the wp-admin directory of your WordPress installation. However, when someone accesses wp-login.php, they can simply click “cancel” or press the escape key in the authentication dialog to reach the WordPress login page:

Click on “Cancel” here…
…and you still reach the WordPress login page (doesn’t look great, but works).

The solution

You also have to explicitly protect the wp-login.php file. Open the .htaccess file in the root directory (not in the wp-admin directory) and add something like this1:

AuthType Basic
AuthUserFile "path/to/.htpasswd"
require valid-user

You’ll have to replace path/to/.htpasswd with the path to your .htpasswd file (which should exist if you’ve already restricted access to your wp-admin directory).

Now, if someone cancels the authentication dialog, they’ll be directed to the default “Error 401” page:

Detailed information on authentication on Apache servers can be found in the official documentation. While there are lots of terrible articles out there which only regurgitate incomplete information for SEO purposes, I did find a comprehensive tutorial on how to protect wp-login.php and the wp-admin directory here.

Note: You may still want to install a WordPress security plugin like Cerber. This is how I discovered that I had forgotten to protect wp-login.php on one of my websites.


1 Wondering why I didn’t include the AuthName directive? The text is not shown in Chromium-based browsers.

Testing malware scanning tools with a hacked website

Some restaurant websites in Luxembourg are poorly designed and make it difficult to find important information (such as the opening hours, the address or perhaps a menu that has been updated in this decade). What happened yesterday was even more confusing: I was immediately redirected to a suspicious page that claimed to conduct a survey.

This is not a restaurant

This is a so-called malicious redirect. The goal is usually to generate ad revenue for the hacker or to try to install malware on the vistor’s computer. I took this opportunity to test several tools which claim to be able to scan websites for vulnerabilities and malware. You’ll find the results below. Of course, I also notified the restaurant.

Notes:

  • I didn’t hack the website.
  • It’s not my website, which means I couldn’t test any popular tools which have to execute code on the server (e.g. MalCare, WordFence, WP Cerber Security). These tools may be more powerful although a malicious redirect should also be detected by external scans.
  • This is obviously not a comprehensive test. I’m also not a security expert.

Google Safe Browsing

There’s nothing wrong with the website according to Google. However, the report was last updated on March 29, 2019 and it’s likely the website was fine then.

Hackercombat

Hackercombat Website screenshot

Hackercombat asks for a name, business email and phone number before sending you the result of the security scan. The email I received confirmed that the “website has been affected by malware” and offered a link to a page with general information and a “100% free” malware cleanup service.

Quttera

Quttera‘s results were inconsistent. The website was first rated as clean. Shortly afterwards, it was classified as suspicious in a second scan:

Quttera screenshot clean
Quttera screenshot suspicious

The detailed report did not clearly identify the issue as a malicious redirect.

ReScan.pro

ReScan.pro report screenshot

ReScan.pro consistently identified the malicious redirect and made it very clear that the website has critical issues.

SiteGuarding

Siteguarding report

All that SiteGuarding’s malware scanner tells us is that the website was already blacklisted by Yandex Safebrowsing. Note: This scan and the second Sucuri scan were executed several hours after the other scans.

Sucuri

At first, Sucuri‘s external scan failed to detect the malicious redirect and claimed that no malware was found. It did complain about HTTPS mixed content which may have been a consequence of the redirect:

Sucuri Scan results morning

When re-testing the website several hours later, the report looked quite different:

To make matters more confusing, it seems that the restaurant’s webmaster was already working on fixing the issue at this time (you can see in the second report that the CMS was now listed as “unknown”).

Web Inspector

app.webinspector.com screenshot

I gave up on Web Inspector as it was still “waiting [for] a free detection server” more than 8 hours after I first submitted the URL.

Conclusion

The results are not entirely satisfying. While I didn’t expect an external scan to be able to tell me how the malicious redirect was implemented, it seems that most of the tools had difficulties detecting the redirect at all. Only ReScan.pro managed to quickly and consistently identify the issue while also giving me immediate access to the report.

To put it in another way, when I notified the restaurant, the only report I could include to show that this was indeed a problem on their side was the one provided by ReScan.pro. Quttera and Sucuri did not show (clear) warnings at the time, Hackercombat did not give me immediate access to their report and Web Inspector was useless.

Solution: Your administrator has blocked this application because it potentially poses a security risk to your computer

The Problem: Your administrator has blocked this application…

You’re trying to install a ClickOnce application and get an error message saying: “Your administrator has blocked this application because it potentially poses a security risk to your computer”:
Your administrator has blocked this application because it potentially poses a security risk to your computer

You are the administrator and don’t remember blocking any applications (if you’re not the admin, contact them instead of reading this article).

The reason this is happening

The ClickOnce trust prompt is disabled on your operating system, so instead of a dialog (prompt) which allows you to either proceed with the installation or not, you just get the message above.

The solution

You can change the ClickOnce trust prompt behavior by editing the registry subkeys under:

\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel

There should be five subkeys, one for each security zone:
Registry trustmanager promptinglevel

Each subkey can have one of the following values:

  • Disabled: No trust prompt is shown, instead you get the error message above.
  • Enabled: A trust prompt is shown.
  • AuthenticodeRequired: A trust prompt is shown only for signed applications (other applications cannot be installed).

Trust prompt example

If the application you’re trying to install has been published on the Internet, you’ll want to set the Internet subkey to “Enabled” (or to “AuthenticodeRequired” if the application has been digitally signed). You should then see a trust prompt instead of the “your administrator has blocked this application” error:
Trust Prompt - do you want to install this application

Free Trust Prompt Tool

As an alternative to editing the registry manually, you can also use a free trust prompt tool I wrote:
Trust Prompt Tool

It allows you to easily display and modify the trust prompt configuration.

Notes:

  • If you don’t trust yourself or other people using your PC, you can change the respective zone setting back to “Disabled” after installing the ClickOnce application. The trust prompt configuration has no effect on installed applications and their updates.
  • You could also add the publisher’s site to your trusted sites and only enable trust prompts for the TrustedSites subkey.
  • Are you wondering why all your trust prompt settings have been changed to “Disabled”? Unfortunately, I have no idea. I’ve had this happen on multiple PCs and I’m pretty sure I didn’t do this myself.

New Admin Email Address message from WordPress – a bug, not a breach

I woke up today to the following message concerning three of my blogs:

Howdy <wp.com username>,

You recently requested to have the administration email address on
your site changed.

If this is correct, please click on the following link to change it:
<blog URL>/wp-admin/adminemail/<hash>/

You can safely ignore and delete this email if you do not want to
take this action.

This email has been sent to <my email>

Regards,
All at <blog name>
<blog URL>

I was fairly sure I had not requested any changes to my admin email in the middle of the night. Could someone have hacked three of my blogs, hosted with three different providers, including one important blog (obviously not this one) protected by several additional security measures?

Furthermore, why was the pending change not shown in the user profile? Unconfirmed email changes should look like this:
WordPress pending email change

Finally, as far as I understand, these emails would be sent to the new admin email address, not the old one, making a hack even more unlikely.

As it turns out, it was a bug in Jetpack. WordFence has more details.

How to add a URL to the Java Exception Site List file

On one of our computers, the Security Tab in the Java Control Panel sometimes looks like this:
Java Control PanelAs you can see, the part required to manage the exception site list is missing/not accessible. I have no idea why (reinstalling Java did not help).

However, you can also add exceptions by directly editing the exception.sites file. Under Win 7, it is normally found in the C:\Users\*YOUR USERNAME*\AppData\LocalLow\Sun\Java\Deployment\security directory. Simply add a new line for each URL (e.g. https://stupdidbank.example.com), save the file, then restart the browser.

See this page or the official Java documentation for further information.