Wordpress powers approximately 32% of the top one million websites on the internet. Despite its widespread adoption, there exist many widely known security variabilities.
A common attack vector for WordPress websites is attackers gaining access to the WordPress admin dashboard (/wp-admin). Admins can use Apache Htaccess rules to block access to /wp-admin from all senders excluding localhost. While providing increased security, admins themselves will then have a difficult time accessing the admin dashboard.
Fortunately, we can use remote.it to access the WordPress admin dashboard while it's blocked to the outside world. In this guide, we'll deploy a WordPress configured AWS EC2 instance, lockdown /wp-admin using Htaccess, and create a proxy connection to the dashboard using remote.it.
A remote.it account. Don't have one?
An AWS account with EC2 privileges.
We'll be using an AWS EC2 instance to deploy our WordPress site. Specifically, we'll be using the BitNami WordPress EC2 AMI. This AMI automates the installation and configuration of WordPress.
If you're new to EC2, follow this AWS guide on how to configure and launch your instance. Make sure to select/generate an ssh key pair.
Enter the public IP address for your instance into your browser's search bar
The page that appears will look something like this
Notice how if you add
/admin to your route you can access the admin login page. This is the security issue we're going to fix. We want to block all public access to this page but still be able to access it via remote.it.
We're going to use the key pair associated with your instance to connect via ssh. Run the following commands in your terminal.
chmod 400 PATH_TO_KEYssh -i PATH_TO_KEY ubuntu@INSTANCE_ADDRES
Run the following command:
You've now SSHed into the EC2 instance! Now we can start securing the WordPress site.
Htaccess is a directory level configuration file that, among other use cases, can be used to block access to particular resources. In the BitNami WordPress AMI, there is a single Htaccess file that handles configuration for the entire application. This is the file we'll be working with. To learn more about the BitNami WordPress AMI project structure, check out the documentation.
Run the following command to begin editing the website Htaccess configuration.
Add the following code to the bottom of the file.
<Directory "/opt/bitnami/apps/wordpress/htdocs/wp-admin"># Block access to wp-admin to all IP's excluding localhost.Order deny,allowDeny from allAllow from 127.0.0.1</Directory
If you wish to lock down wp-login as well, add the additional following block to the htaccess.conf file.
<Directory "/opt/bitnami/apps/wordpress/htdocs/"><Files "wp-login.php"># Block access to wp-login to all IP's excluding localhost.Order deny,allowDeny from allAllow from 127.0.0.1</Files></Directory>
Save and exit Vim and run the following command to restart the web server.
sudo /opt/bitnami/ctlscript.sh restart
Once the server has restarted,
Site_IP/admin will appear like this
Congratulations - you've now blocked all incoming access to your websites admin portal. This dramatically increases the security of your site. However, we currently have no way ourselves to access the admin dashboard. This is where remote.it comes in.
Copy and paste the following 3 lines to your console to download and install the remote.it connectd package:
curl -LkO https://raw.githubusercontent.com/remoteit/installer/master/scripts/auto-install.shchmod +x ./auto-install.shsudo ./auto-install.sh
Now, you're ready to run the interactive installer.
Start the connectd installer by running
sudo connectd_installer and sign in
Enter 1 for
Attach/reinstall a remote.it Service to an application.
Chose the default port assignment (80).
Name the service
You've now configured a remote.it service on the host machine. We will now be able to make secure HTTP proxy connection to our machine via remote.it.
Using remote.it you can either generate temporary proxy connection using the remote.it web app, or generate a peer-to-peer connection. P2P connections have the advantage of being permanent as long as both daemons are running and allowing you to bookmark remote.it connections. Proxy connections require fewer steps to create but are temporary.
Download the Windows Connectd Manager. Once installed, log in with your remote.it account and select your device. If you have a high number of devices on your account you'll have to search for your device by name.
Fill the check box next to your device name and click "Setup". This will take you to a list of your device's services.
Fill the check boxes next to the services you wish to establish connections with. Click "Start" once you've selected the desired services.
Our P2P connections have now been generated. The local ports for each service can be found in the "ports" column. In this example, the P2P connection to the wordpress admin page is on localhost port 34001.
Go to http://localhost:PORT where PORT is the value in the Port column.
Congratulations! You've generated a P2P secure connection to your WordPress admin page. This link is accessible as long as connectd is running on both devices.
Continue this guide if you wish to generate temporary proxy connections using remote.it's cloud.
Navigate to app.remote.it and select the device with the name you entered.
wordpress-admin http service. You will be presented with a proxy URL similar to
/wp-admin to this path. This URL takes you to the WordPress admin dashboar
We've now just demonstrated the use for remote.it in securing your WordPress website. By using Htaccess, we've entirely blocked all public access to our admin dashboard making it inaccessible accept via remote.it. You can share your device with any other truster admins allowing your whole team to quickly and securely maintain your website.