WordPress

WordPress is under going an attack by a swarm of Zombies - and they are after any site with an Admin user account. Securing WordPress is easy and you can do two things to protect your website and yourself.

  1. Change and then delete your Admin account (if you haven’t already)

  2. Only allow access to WordPress /wp-admin by your IP address

Of course, you should also have a backup strategy - and so why not setup my plugin DBC Backup 2 to do the hard work. It’s free and can run on a schedule.

I originally installed a plugin called Limit Login Attempts - which is grand. IP addresses automatically get blocked, but as you can see - it’s not stopping the brute force attacks. This is why your .htaccess is your shield and best protection.

Limit Logins

Think of your WordPress website as a little application .. in a big, bad, ugly world - and your .htaccess file is your Hero and Knight .. who’ll go out and take on anyone.

Restrict access to WP-Admin to only your IP

As you’ve probably figured out, if you’re not logged in to WordPress, then you only need  to go to http://yourdomain.com/wp-admin to login.  Once logged in, your Admin pages all get accessed from here. So protecting your /wp-admin directory is excellent

Doing this will also stop brute force hackers as their IP address will get blocked … by the server!

\# Limit logins and admin by IP
\# this goes in the /admin folder NOT root folder .htaccess
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 12.34.56.78
</Limit>

Allow users to access Ajax

If you’re running an ecommerce site, or your themes or plugins are using Ajax, chances are that you’re using admin-ajax.php, a file in the /wp-admin folder. You need to allow everyone to access this file.

So here is the full content for your .htaccess file that allows only you to login and everyone can still use the Ajax.

\# Limit logins and admin by IP
\# this goes in the /admin folder NOT root folder .htaccess
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 12.34.56.78
</Limit>
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

Hints - iPad’s & Smartphones You usually cant control your IP address on your mobile phone and some iOS / Android apps won’t work if you have restriction to IP Address in place. But then, what’s the price of security??

Tags: IP Access, Restriction, Security

Read more from my blog for an introduction and quick tips on developing in Hugo or UCTD.

Meet the author

Photo for Damien Saunders
Damien Saunders
An experienced management consultant and business leader interested in digital transformation, product centred design and scaled agile. If I'm not writing about living with UCTD (an autoimmune disease), I'm probably listening to music, reading a book or learning more about wine.
Find our more about me.