This post explains how WordPress owners can lock down and fully protect their website, and improve server performance.
It is achieved by denying access to WordPress Admin by allowing only known IP Addresses to access the area.
All Ripefruit hosting clients with WordPress are fully protected
If a client sees a 404 or 500 Forbidden notice on their WordPress Login page, clients simply contact us with their IP Address*
*How to get your IP Address: Google “What’s my IP Address”
WordPress Admin Protection
- How to Limit Access (scroll down)
Article: WP Admin Security
WordPress: Use IP restrictions to limit access to /wp-admin/
The administrative area of a web application is very sensitive, and if compromised, the consequences can be devastating. WordPress is no exception. One effective measure is to limit access to /wp-admin/ so that only requests originating from a set of known IP addresses can access the administrative area.
This measure is highly recommended for website owners wanting to protect their WordPress admin which will also improve website performance.
Background
A little while ago we noticed our server becoming slow, unresponsive and sluggish.
We ran a query against logs to find web sites with WordPress were being bombarded with hits to wp-login.php (standard login address for all WordPress websites).
The results:
Attempts – Domain name
116 xxxxxxxxxxxx.com.au
116 xxxxxxxxxxxxxxxxxxxxxxx.edu.au
219 xxxxx.info
424 xxxxxxxxxxxxxxxxxxxx.com
527 xxxxxxxxxxxxxx.be
535 xxxxxxxxxxxxxxx.com.au
535 xxxxxxxxxxxxxxx.com
539 xxxxxxxxxxxxxxxxxx.com
840 xxxxxxxxxxxxxxxxxxxx.info
1076 xxxxxxxxxxxxxxxxxxxx.com
2181 xxxxxxxxxxxxxxxxxxxxxxxxxxx.com
3386 xxxxxxxxxxxxxxxxxxx.com.au
3413 xxxxxxxxxxxxxxxxxxxx.com.au
4557 xxxxxxxxxxxxxxxxxxxxx.com.au
That is a lot of “un-authorised” traffic.
Keep in mind, it’s not only the traffic numbers to the page, but every login attempt is processing the request. That amounts to thousands of processing minutes and unnecessary load on the server, not forgetting in most cases, it is a hacker trying to get in.
Considering we’re talking about one page (wp-login.php), we looked at how to only process legitimate requests.
Yes, there are plugins that rename the login page which stops some attempts but we wanted to block all login attempts, 404 errors and failed logins
We found a WordPress plugin which can handle this type of blocking, all-in-one-wp-security-and-firewall has a feature that will block IPs that hit a 404 error too many times.
Again, the issue here is the server has to “process” the illegitimate attempts before it blocks the IP, so why not work the other way round.
Why not BLOCK access to the login page to all but ‘known’ IP Addresses.
By adding this code to a htaccess file, you have your answer.
- No more failed logins
- No server drain
- 100% Secure
- Easy to do and maintain
How to Limit Access: htaccess Code
# Add the code below to htaccess to allow specific IPs
<FilesMatch "^wp-login.php$">
Order deny,allow
allow from xxx.xx.xx.xx
allow from xxx.xx.xx.xx
Deny from all
ErrorDocument 403 "Access forbidden. See .htaccess file to allow trusted IPs"
Replace xxx.xx.xx.xx with the IP address you wish to allow access.
Only experienced users should attempt to implement this security measure
What IP Address?
Google and search for “What’s my IP Address”
The above IP blocking considerably improved server performance and increased security to admin.