htaccess, WordPress

Secure WordPress Admin via .htaccess

Securing the WordPress admin section has always been an issue with the platform as there is currently not a facility to specify a custom URL for admin panel access, something that many other platforms have implemented such as Magento. This can leave your blog at risk, especially if default login usernames are used for your site.

There are some great WordPress plugins available that can help restrict unwanted access to your admin area, such as Login LockDown: http://wordpress.org/extend/plugins/login-lockdown/ that will deny access to an IP address for a set time period if the set amount of login attempts are reached. This is a nice plugin to implement to restrict access to bots or unwanted users trying to access your WordPress site’s admin area.

WordPress BotNet Attack

The current issue plaguing WordPress users is a mass BotNet attack that targets the WP admin of a WordPress site, continually trying to login and compromise access, as reported by the BBC: http://www.bbc.co.uk/news/technology-22152296. This also acts as a DDoS attack, as the BotNet has evolved to be able to send requests from multiple IP’s, thus starting to render the Login LockDown to be useless in preventing your site / server from failing.

The BotNet specifically targets login attempts using the ‘admin’ username which was the default (and couldn’t be changed) prior to WordPress v3.0. It is worth upgrading your WordPress installation to the latest revision, creating a new user account for administration access and deleting the default admin user account if you have it setup.

Restrict IP access via .htaccess

One of the best solutions, or ideas is to completely restrict access from all IP addresses to the WordPress admin (the wp-login.php file) within your site’s .htaccess file, then specify individual IP’s that can access it. Any IP that isn’t specifically given access to the wp-login.php file will simply be given an error page. This theory should hopefully deny access by any BotNet attack to the admin login area and any other unwanted users, making your site much more secure.

The following can be added to your .htaccess file (be confident in using .htaccess before adding this):

### WP Admin Lockdown Start ###

<Files wp-login.php>

    order deny,allow

    allow from 127.0.0.1

    deny from all

</Files>

### WP Admin Lockdown End ###

The script above denies access to all IP addresses, so now you just need to add your IP to the line “allow from”. You can find out your current IP address by visiting: http://www.whatismyip.com/. In the example above, simply replace: 127.0.0.1 with your actual IP address.

If you require multiple users / computers to access the WordPress admin area of your site, then simply add the IP addresses to the statement implemented, preceded by “allow from” as shown in the example below:

### WP Admin Lockdown Start ###

<Files wp-login.php>

    order deny,allow

    allow from 127.0.0.1

    allow from 127.0.0.2

    allow from 127.0.0.3

    deny from all

</Files>

### WP Admin Lockdown End ###

Please be aware that many ISP’s use dynamic IP addresses, so you may be required to amend the allowed IP addresses in your .htaccess file on a regular basis. This may make the solution not viable for your site if multiple users collaborate and require access, but for those who can implement it I hope its useful.


3 Responses

Leave a Reply