WordPress Admin Security


Yeah there are a lot of script kiddies out there scanning word press sites and brute forcing word press admin logins. There are ways you can limit access to the wordpress admin panel from restricted set IP Address or block unwanted browser agents. Here are some examples using .htaccess and rewrite :

 

Most likely there is already an .htaccess file inside your wordpress directory. Add the following snippets to your .htaccess file :

 

Restrict WP Admin to known IP Address only and throw 404 for everyone else, You can add multiple IP Addresses on new line:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^192\.168\.100\.111$
RewriteRule ^(.*)$ - [R=404,L]
</IfModule> 

 

You can block by different SERVER variables in the same manner. Below are some examples.

Block By Referrer :

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?yoursite\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

 

Block By User Agent :

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(Mechanize).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} ^.*(Baiduspider|HTTrack|Yandex).*$ [NC]
RewriteRule .* - [F,L]

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.