WordPress hosting has becoming very popular because of its flexibility and ease of use. WordPress is as secure as your login to its admin interface (if you keep all plugins/themes and core engine to latest stable release). Since WordPress requires the admin login for management, it is available by default on public Internet for access. There are many techniques and plugins used by WordPress users to protect their websites and admin login. Some of them are
- Use secure password
- Use another username for admin instead of “admin”
- Use additional plugins to protect against attacks
These are all good measures, but what if your password is leaked through other means? If your own computer is hacked and you enter your correct WordPress admin username and password, then a hacker will have access to it. In this case, there is no need for any brute force attack. Your password can be very strong but if hacker has it, they can login easily.
Apache mod_rewrite Protection
Here is a simple technique that you can use to protect the admin login and restrict it to your IP addresses. Even if hacker gains access to your admin username/password, they cannot login to WordPress unless they hijack your computer as well.
All you have to do is edit .htaccess file in WordPress root folder and right above the Permalink WordPress mod_rewrite rules, add these rules:
#Restrict WP Login IPs
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ http://webx.net [R=301,L]
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [F]
In the above code, replace 123.123.123.123 with your own IP address. If you have multiple admin users that need access, you can repeat that line to add more IP addresses one after the other. And replace webx.net with your own website. That will redirect unauthorized users to your website home. Or you can use another web page that you want to show such users.
This file can be edited via FTP or cPanel. If you do not have a static IP address from your ISP, you can change the IP in .htaccess file when you need to work in admin interface. If your FTP or cPanel access is leaked, then you have a bigger problem to handle.
We hope this is useful for you and if you have any comments or questions, you can leave them here. Thank you.