WordPress Admin Security

A Pipe and a Keyboard Posted on by

For some unknown reason, Head Rambles is frequently targeted by hackers trying to crack the admin password.

I should point out that most will have a very hard time, as the user “admin” doesn’t exist.

I have two plugins in place – Limit Login Attempts and No Soup.  While the first automatically locks hackers out after the first few attempts, the second is a more permanent fix, whereby any IP address I get from Limit Login Attempts can be entered and thereby permanently redirected to another site. 

I decided to introduce a little bit of extra security however.  What I wanted was to block access to the wp-admin directory and also to the wp-login.php file.

In fact this is extremely easy BUT there is one proviso – this will only work if you have a static IP supplied by your ISP.  If you have a dynamic IP then do not try these.

All I did was to create a little .htaccess file for my wp-admin directory –

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from 123.123.123.123

Obviously 123.123.123.123 should be replaced with your own IP address.

In theory, this is all that is required, as even if the password is hacked then entry is forbidden into the Admin directory.  I decided to go one step further, just to stop all those warnings about attempted logins and to protect the wp-login.php file.  Again this was simple.  All I had to do was to add a few lines to my root .htaccess file –

<Files "wp-login.php">
    Order deny,allow
    Deny from all
    Allow from 123.123.123.123
</Files>

With those two in place, hacking will be be considerably more difficult.

One advantage of this method is that you can update WordPress without destroying your protection.

One disadvantage is that the site can only be updated from the one location, so if you are accessing the site from some different location [for example, on holidays] then you will be locked out.  In that event either you forgo updates until you are back at base, or you FTP into the site and rejig the .htaccess file.

Comments

WordPress Admin Security — No Comments

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    HTML tags allowed in your comment: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>