htaccess, WordPress

Secure WordPress Admin via .htaccess

Securing the WordPress admin section has always been an issue with the platform as there is currently not a facility to specify a custom URL for admin panel access, something that many other platforms have implemented such as Magento. This can leave your blog at risk, especially if default login usernames are used for your site.

There are some great WordPress plugins available that can help restrict unwanted access to your admin area, such as Login LockDown: http://wordpress.org/extend/plugins/login-lockdown/ that will deny access to an IP address for a set time period if the set amount of login attempts are reached. This is a nice plugin to implement to restrict access to bots or unwanted users trying to access your WordPress site’s admin area.

WordPress BotNet Attack

The current issue plaguing WordPress users is a mass BotNet attack that targets the WP admin of a WordPress site, continually trying to login and compromise access, as reported by the BBC: http://www.bbc.co.uk/news/technology-22152296. This also acts as a DDoS attack, as the BotNet has evolved to be able to send requests from multiple IP’s, thus starting to render the Login LockDown to be useless in preventing your site / server from failing.

The BotNet specifically targets login attempts using the ‘admin’ username which was the default (and couldn’t be changed) prior to WordPress v3.0. It is worth upgrading your WordPress installation to the latest revision, creating a new user account for administration access and deleting the default admin user account if you have it setup.

Restrict IP access via .htaccess

One of the best solutions, or ideas is to completely restrict access from all IP addresses to the WordPress admin (the wp-login.php file) within your site’s .htaccess file, then specify individual IP’s that can access it. Any IP that isn’t specifically given access to the wp-login.php file will simply be given an error page. This theory should hopefully deny access by any BotNet attack to the admin login area and any other unwanted users, making your site much more secure.

The following can be added to your .htaccess file (be confident in using .htaccess before adding this):

### WP Admin Lockdown Start ###

<Files wp-login.php>

    order deny,allow

    allow from 127.0.0.1

    deny from all

</Files>

### WP Admin Lockdown End ###

The script above denies access to all IP addresses, so now you just need to add your IP to the line “allow from”. You can find out your current IP address by visiting: http://www.whatismyip.com/. In the example above, simply replace: 127.0.0.1 with your actual IP address.

If you require multiple users / computers to access the WordPress admin area of your site, then simply add the IP addresses to the statement implemented, preceded by “allow from” as shown in the example below:

### WP Admin Lockdown Start ###

<Files wp-login.php>

    order deny,allow

    allow from 127.0.0.1

    allow from 127.0.0.2

    allow from 127.0.0.3

    deny from all

</Files>

### WP Admin Lockdown End ###

Please be aware that many ISP’s use dynamic IP addresses, so you may be required to amend the allowed IP addresses in your .htaccess file on a regular basis. This may make the solution not viable for your site if multiple users collaborate and require access, but for those who can implement it I hope its useful.


4 Responses

  1. mmh3 - netBrainiac.com
    May 1, 2013

    Thanks so much! I implemented this today… Found you on google+ wordpress community =)

    Reply
    • Porter
      May 1, 2013

      Glad its useful for others, no probs.

      Reply
  2. InfoTasBranded
    July 8, 2013

    Excellent post! Keep up the infor­ma­tive work!

    Reply
  3. James N
    August 13, 2014

    Great post, this is a fantastic way for people to protect certain parts of their WordPress blog. You mentioned the dynamic IPs:

    “Please be aware that many ISP’s use dynamic IP addresses, so you may be required to amend the allowed IP addresses in your .htaccess file on a regular basis. This may make the solution not viable for your site if multiple users collaborate and require access, but for those who can implement it I hope its useful.”

    I find that the best way to approach this is by using the first 3 octets of the IP address, since your IP will typically (not always though) only change the last number. So if your IP is currently 127.0.0.45 just as this:

    allow from 127.0.0.

    Be sure to add the period at the end. This will allow any IP address starting with 127.0.0. – so you technically are allowing 254 total IPs to connect, but thats not bad when you consider all of them out there.

    Reply

Leave a Reply