WordPress: Looking for some advice

I have a customer for whom we host their small business website. It does not get much traffic and it enables us to keep up to speed on securing websites. The customer used SSL VPN to access our network and then FTP to upload the changed files to his site. This has been working well for a couple of years.

Like many small business owners, this customer has family. In this case, it is a talented daughter who has developed a very nice site. Now Dad wants to use it in place of the original static pages website, and have daughter upload changes to the site.

After some reading, WordPress hosting fills me with terror, and I am thinking that AuthPoint might help to mitigate some risks with accessing the site. Does anyone else do this? Any advice for integrating AuthPoint? Chapters in the manual or the Study Guide are always useful.

Adrian from Australia

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @xxup
    There appear to be a few plugins for WordPress that add SAML functionality, but it does not appear to support it naively.

    If you were to add one of these services, using the generic SAML instructions for AuthPoint should be all or most of what you need to set it up:

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/resources_saml.html

    I can't specifically recommend any of them, but just googling "wordpress SAML plugin" should get you started.

    -James Carson
    WatchGuard Customer Support

  • Thank you James.. That's great staring point..

    Adrian from Australia

  • I am pleased to report that the WordPress AuthPoint document works (ony one missing bit in the documentation), but.... :(

    The immediate problem that I discovered after setting up the AuthPoint SAML solution is that you can type https://{wordpress-site}/wp-login.php and by-pass the AuthPoint login.

    Being an old UNIX guy, I deleted the wp-login.php file (actually I moved to a very dark place on the web server) and this removed access to the normal WordPress login. However, the SAML logout link requires wp-login.php to logout. For normal users of the site, this will not be an issue, but for the developer (Customer's daughter) this will be a problem as a good developer will log out and then log in as an ordinary user to check that everything is working correctly.

    Soooooo... Before I go into hacker mode and rip apart the wp-login.php file, is there a better way to force the SAML logout?

    Adrian from Australia

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @xxup
    The only way we (Authpoint) can enforce logout is via the logout link that we (the IDP) provide to the application (wordpress.)

    I'd suggest trying to make a feature request on that end (with wordpress, or whichever saml plugin you're using) to fix that, as that's where the issue seems to be.

    -James Carson
    WatchGuard Customer Support

  • Thank you James. The vendor has a US$349 option to redirect users away from wp-login.php.. On a good day that's about A$500 without tax.. I know that the customer will not pay that - so it looks like Hackersville Inc (i.e. me) will do the surgery tomorrow..

    Adrian from Australia

Sign In to comment.