You CAN lock down the WordPress login with some .htaccess rules to prevent unauthorized login attempts.
There have now been several large scale WordPress wp-login.php brute force attacks, coming from a large amount of compromised IP addresses spread across the world since April of last year. A large botnet of around 90,000 compromised servers has been attempting to break into WordPress websites by continually trying to guess the username and password to get into the WordPress admin dashboard. We’ve helped numbers of clients get their sites back and running but you can stop some of these attacks dead in their tracks.
To save your blog from WordPress hackers you need to take some solid step which assures security of your blog.
This article discusses how to restrict you wordpress admin access and provide an extra layer of security both to your wp-admin folder, and wp-login.php file.
Did you know that you can restrict your WordPress admin usage according to giving right to certain IP addresses? You can, and I’m going through step by step just how to do that
Determining Who Will Have Access.
Here you’re going to block every IP except a select few. In case your IP is dynamic, it may not be the best option for you and if you have a lot of users that you allow access to your blog, this could become time consuming. But,if you are the only author on your blog, and you don’t allow registrations anyway – this will be rather simple. Begin by making a spreadsheet in google or in excel or your spreadsheet program of choice. List the persons who should have access to your login page by name and save, next we’ll add more information to this file.
Creating your .htaccess
First, get your IP address. Go to whatsmyip.com and make a note of your IP address. Have anyone who NEEDS access to your admin area of your blog do the same and add these to the names of who you wish to have access to your login page to your spreadsheet and save it in a safe place.
Next, visit your cpanel file manager or ftp to your site to edit your .htaccess file . (Note in cpanel and in ftp you’ll need to be able to view ‘hidden files’ be sure your settings are set so that you can.
Open the .htaccess file and you should see something similar to this
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Don’t be concerned if your file isn’t exactly like this, particularly if you have caching plugins or your wordpress resides in its own folder. (The file will be slightly different or longer.) Make a backup of this file BEFORE you make changes. Just copy and paste to a text file and save it to your computer.
The .htaccess is a distributed configuration file, and is how Apache handles configuration changes on a per-directory basis.
WordPress uses this file to manipulate how Apache serves files from its root directory, and subdirectories thereof. Most notably, WP modifies this file to be able to handle pretty permalinks.
At the very beginning of this file add these lines exactly. the lines with # are comment lines leave them there so that you KNOW what the following line means if you ever need to change this in the future.
[pastacode lang=”markup” message=”” highlight=”” provider=”manual”]
<files wp-login.php>
order deny,allow
deny from all
# whitelist Your First IP address
allow from xxx.xxx.xxx.xxx
#whitelist Your Second IP Address
allow from xxx.xxx.xxx.xxx
#whitelist Your Third IP Address
allow from xxx.xxx.xxx.xxx
</files>
[/pastacode]
You can add more lines to whitelist, just copy one of the #whitelist line sections and change the ip and the number if necessary. You can remove all but your own if you desire but be sure the closing </files> remains or YOU will be locked out of your own site.
Save the file and close it, reupload if you’re working by ftp or simply close in cpanel.
That’s it! You’re done! And now you admin pages and login are visible only to you and your chosen few.
There are several other methods of restricting access to your wp-admin and this is but one. We’re always happy to discuss your security needs.
Does working inside your WordPress installation ‘freak’ you out? Totally afraid you’ll blow your site out of the water? Fear Not! We can help, just visit our Project Inquiry and we’ll get you taken care of in a blink of the eye.