Lock down WP-ADMIN

Because of the recent increase in attacks on WordPress, we were recently chatting about locking down /wp-admin and wp-login.php. We discussed the Limit Login Attempts plugin, which works really well. If a user fails to login after a certain amount of attempts, they are blacklisted for a period of time.

Dre Armeda, a security expert, suggested we use .htaccess to deny all traffic (except ours) based on IP address. He says, this is even better than a plugin, because we’re not allowing hackers to even reach the login page.

The code to “deny all” is pretty simple and easy to implement. Simply drop the snippet below into .htaccess, and change the IP address to yours. This will block anyone from accessing both wp-login.php AND the WordPress dashboard. Don’t worry, if your IP address changes, you can always edit it later using FTP.

https://gist.github.com/gregrickaby/7929e7d53b082ffe313f

Here is what my .htaccess looks like:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^101\.167\.112\.117$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

I hope this helps, after adding this snippet… the emails I receive from the Limit Logins Attempts plugin have stopped completely.

About Greg Rickaby

Director of Engineering @WebDevStudios / Author & Tech Editor @ForDummies / @WordPress Contributor / @gatsbyjs Maintainer / Follow Greg on Twitter

1 Comment

  1. mediacellar on September 8, 2014 at 3:00 pm

    Good advice, Greg. Out of curiosity, does this help with the XMLRPC attacks some of our sites have been getting lately?

Leave a Comment