Top

feature_web_development

WordPress Security – protect your wp-admin with this quick .htaccess trick

WordPress is under going an attack by a swarm of Zombies – and they are after any site with an Admin user account. Securing WordPress is easy and you can do two things to protect your website and yourself.

1. Change and then delete your Admin account (if you haven’t already)

2. Only allow access to WordPress /wp-admin by your IP address

Of course, you should also have a backup strategy — and so why not setup my plugin DBC Backup 2 to do the hard work. It’s free and can run on a schedule.

I originally installed a plugin called Limit Login Attempts – which is grand. IP addresses automatically get blocked, but as you can see … it’s not stopping the brute force attacks. This is why your .htaccess is your shield and best protection.

Limit Login Attempts ‹ Damien Saunders — WordPress

Think of your WordPress website as a little application .. in a big, bad, ugly world … and your .htaccess file is your Hero and Knight .. who’ll go out and take on anyone.

Restrict access to WP-Admin to only your IP

As you’ve probably figured out, if you’re not logged in to WordPress, then you only need  to go to http://yourdomain.com/wp-admin to login.  Once logged in, your Admin pages all get accessed from here. So protecting your /wp-admin directory is excellent

Doing this will also stop brute force hackers as their IP address will get blocked … by the server!

[php]
# Limit logins and admin by IP
# this goes in the /admin folder NOT root folder .htaccess
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 12.34.56.78
</Limit>
[/php]

Allow users to access Ajax

If you’re running an ecommerce site, or your themes or plugins are using Ajax, chances are that you’re using admin-ajax.php, a file in the /wp-admin folder. You need to allow everyone to access this file.

So here is the full content for your .htaccess file that allows only you to login and everyone can still use the Ajax.

[php]
# Limit logins and admin by IP
# this goes in the /admin folder NOT root folder .htaccess
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 12.34.56.78
</Limit>
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
[/php]

Hints … iPad’s & Smartphones
You usually cant control your IP address on your mobile phone and some iOS / Android apps won’t work if you have restriction to IP Address in place. But then, what’s the price of security??

, , ,

Trackbacks/Pingbacks

  1. Wordpress Security - How to Protect WordPress | RyanDaniels.ca - December 22, 2013

    […] WordPress Security – protect your wp-admin with this quick .htaccess trick […]

Leave a Reply

Read previous post:
Differences between a plugin and a theme

In WordPress, as with many things, there are two ways to add features and customise your website, either with themes (php...

Close