For some unknown reason, Head Rambles is frequently targeted by hackers trying to crack the admin password.
I should point out that most will have a very hard time, as the user “admin” doesn’t exist.
I have two plugins in place – Limit Login Attempts and No Soup. While the first automatically locks hackers out after the first few attempts, the second is a more permanent fix, whereby any IP address I get from Limit Login Attempts can be entered and thereby permanently redirected to another site.
I decided to introduce a little bit of extra security however. What I wanted was to block access to the wp-admin directory and also to the wp-login.php file.
In fact this is extremely easy BUT there is one proviso – this will only work if you have a static IP supplied by your ISP. If you have a dynamic IP then do not try these.
All I did was to create a little .htaccess file for my wp-admin directory –
AuthName "Access Control"
deny from all
#IP address to Whitelist
allow from 18.104.22.168
Obviously 22.214.171.124 should be replaced with your own IP address.
In theory, this is all that is required, as even if the password is hacked then entry is forbidden into the Admin directory. I decided to go one step further, just to stop all those warnings about attempted logins and to protect the wp-login.php file. Again this was simple. All I had to do was to add a few lines to my root .htaccess file –
Deny from all
Allow from 126.96.36.199
With those two in place, hacking will be be considerably more difficult.
One advantage of this method is that you can update WordPress without destroying your protection.
One disadvantage is that the site can only be updated from the one location, so if you are accessing the site from some different location [for example, on holidays] then you will be locked out. In that event either you forgo updates until you are back at base, or you FTP into the site and rejig the .htaccess file.