=== AskApache Password Protect === Contributors: cduke250 Donate link: https://www.askapache.com/ Tags: password,security,admin,username,access,authorization,authentication Requires at least: 2.0 Tested up to: 2.2.2 Stable tag: 2.0 This plugin Adds Password Protection to your /wp-admin/ directory. == Description == If you are worried about your WordPress blog getting hacked, this can help. It adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder. The plugin is simple, you just choose a username and password and you are done. It writes the .htaccess file, without messing it up. It also encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both. == Installation == This section describes how to install the plugin and get it working. Upload aa-password-protect.zip to the /wp-content/plugins/ directory Unzip into its own folder /wp-content/plugins/aa-password-protect/aa-password-protect.php Activate the plugin through the 'Plugins' menu in WordPress by clicking "AskApache Password Protect" Go to your Options Panel and open the "AskApache Password Protect" submenu. /wp-admin/options-general.php?page=aa-password-protect.php Choose a username and password and hit the "Password Protection" Button. == Frequently Asked Questions == = Do I have to type in my username and password every admin page? = No. You just have to type it in once and it will keep you logged in until you close your browser. How Secure Is It In Basic HTTP Authentication, the password is passed over the network not encrypted but not as plain text -- it is "uuencoded." Anyone watching packet traffic on the network will not see the password in the clear, but the password will be easily decoded by anyone who happens to catch the right network packet. So basically this method of authentication is roughly as safe as telnet-style username and password security -- if you trust your machine to be on the Internet, open to attempts to telnet in by anyone who wants to try, then you have no reason not to trust this method also. In MD5 Message Digest Authentication, the password is not passed over the network at all. Instead, a series of numbers is generated based on the password and other information about the request, and these numbers are then hashed using MD5. The resulting "digest" is then sent over the network, and it is combined with other items on the server to test against the saved digest on the server. This method is more secure over the network, but it has a penalty. The comparison digest on the server must be stored in a fashion that it is retrievable. Basic Authentication stores the password using the one way crypt() function. When the password comes across, the server uudecodes it and then crypts it to check against the stored value. There is no way to get the password from the crypted value. In MD5, you need the information that is stored, so you can't use a one way hashing function to store it. This means that MD5 requires more rigorous security on the server machine. It is possible, but non-trivial, to implement this type of security under the UnixTM security model. == Screenshots == This screen shot (aa-passpro-auth.png) shows the password prompt. This screen shot (aa-passpro-off.png) shows the setup screen. This screen shot (aa-passpro-on.png) shows the setup screen. ==== Example .htpasswd === Here is a sample of the .htpasswd file output by the plugin. # BEGIN AskApache Password Protect askapache:$1$UUNC/Y4z$2HrLVf23pizdtlUXazGbN1 # END AskApache Password Protect === Example .htaccess === # BEGIN AskApache Password Protect AuthName "Authorization Required" AuthUserFile /home/htdocs/.htpasswd AuthGroupFile /dev/null AuthType Basic Require valid-user # END AskApache Password Protect