Akamai Diversity

The Akamai Blog

Trusted access to Wordpress /wp-admin for content Authors

WordPress started as just a blogging system, but has evolved to be used as a full content management system, and so much more through the thousands of plugins, widgets, and themes. One of the main challenges I have seen with customers is to provide secure access to /wp-admin or /wp-login.php to content authors so that they can make the desired content changes. It seems straight forward, but the real challenge comes when you want to keep your published url https://website.com for your main organization's website and https://website.com/wp-admin or https://website.com/wp-login.php protected with authentication. 

Example: Usually products or content are published through the main organization's website https://cart.myproductsnstuff.com to the end users. The content authors, however, access the /wp-admin or /wp-login.php section of Wordpress to publish any new content about products or anything in general. Organizations take several different approaches from whitelisting IP addresses to restricted access to /wp-admin through security groups, configuring and managing separate hostnames and DNS for content authors, putting in complex firewall rules to block the access to /wp-admin. If you have a limited set of content authors and websites, these traditional approaches work, but as you grow your team, which requires administrative access to many websites, then it becomes a real challenge in maintaining these complex traditional approaches. Not only that, while maintaining the same website hostname for public access, you still need to provide a firm security and authentication framework around Wordpress admin access for these content authors, along with proper access logging and auditing.

Akamai Enterprise Application Access (EAA) is a simple way to secure and deliver applications that run behind a firewall or in a public cloud. It is a secure remote access service that lets you protect your applications from Internet threats while giving control and governance of access from your contractors, partners, vendors and employees. With EAA, secure and authenticated access can be provided for your WordPress /wp-admin to content authors only without IP whitelisting or managing complex firewall policies.

Blog Wordpress Image 1.png

Configuration

Let's say, there is an organization "Secperimeter" who publishes their products as an online cart through https://akashop.secperimeter.com to the customers. Now the Content authors also access https://akashop.secperimeter.com/wp-admin/,adding /wp-admin to the same hostname. Using EAA, you can provide access to https://akashop.secperimeter.com/wp-adminwhile keeping /wp-admin uri path behind authentication (using enterprise AD) and optionally MFA or Client certificates.

WordPress (Apache module)

Following rewrites are required in your WordPress Apache module configuration to redirect the user to EAA login portal where content authors first authenticates with enterprise AD (optionally MFA) and then access the WordPress administrative portal for content editing and publishing.

You need to add the following rewrites in htaccess.conf

$WordPressPath/conf/htaccess.conf

# Verify if the request requires access to wp-admin or wp-login/php                                                                                      RewriteCond %{REQUEST_URI} ^/(wp-admin|wp-login.php)$

# Adding a condition to check host header for specific WordPress website                                                                          RewriteCond %{HTTP_HOST} ^akashop\.secperimeter\.com$ 

# Adding a condition to check if request is not coming from EAA, challenge the user for authentication                              RewriteCond %{REMOTE_ADDR} !^10\.1\.0\.49$

# Redirect the user to a hostname published through EAA for authentication                                                                          RewriteRule ^(.*)$ https://contentauth\.secperimeter\.com [R=302,L]

  1. First condition checks if the request contains wp-admin or wp-login.php, for example, https://akashop.secperimeter.com/wp-admin
  2. Second condition checks if the request contains Internal Application Host header, for example, akashop.secperimeter.com in this configuration.
  3. Third condition checks if the source IP does not match either EAA connector or LB VIP
  4. If all the conditions are true, the user request will be redirected to the external hostname https://contentauth.secperimeter.com which is published through EAA

Once the user lands on https://contentauth.secperimeter.com (published through EAA), EAA presents an authentication challenge through login form where content authors need to authenticate first with enterprise Active Directory (optionally MFA) and as a result of successful authentication and authorization, Akamai EAA connects the authorized content author to WordPress /wp-admin.

Optionally, administrators can also enable remote HTTP headers on WordPress using available plugins. HTTP headers offer great flexibility for passing critical information to the enterprise applications including custom headers. Based on HTTP headers, you can make your WordPress admin access Single Sign on (SSO) enabled. 

Datapath Flow:

Blog Wordpress Image2.png

For more information, please visit: Akamai.com/EAA

 

 

Leave a comment