If your like one of the millions of people using WordPress for their website you have probably dealt with a bruteforce login attack on your site or worse been hacked due to one.
One of the most frustrating things about these attacks is the typical way to address this issue is to either hide your login page via a plugin and custom URL or to add a captcha to the login page. If your like me you despise captchas and how much time is wasted on them.
There is actually a very simple solution to this issue that does not require changing your default login page or even needing a captcha.
Requirements: Static IP or VPN with Static IP
In this example the static IP will be 1.2.3.4. You can actually put multiple IP’s in for the site if you have multiple IP’s for say home office and VPN for when mobile or travelling.
To find your IP can use a site like the below to view your current IP.
Once you know your IP you will need to note that down and navigate to your control panel or where your WordPress installation is hosting wise. In this example it is going to be inside of cPanel account that houses the WordPress.
Navigate to the main document root for the WordPress install via FTP or the file manager. This will be where the index.php for
/home/username/public_html/.htaccess
Now once
#Redirect all non SSL URLs to use SSL aka HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
#Deny access to the wp-login page to all except the whitelisted IP's below.
<Files wp-login.php>
order deny,allow
Deny from all
# whitelist home IP address
allow from 1.2.3.4
#whitelist office IP Address
allow from 1.2.3.5
#whitelist vpn IP Address
allow from 1.2.3.6
#commented out rule
#allow from 1.2.3.7
</Files>
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
<files wp-config.php>
order allow,deny
deny from all
</files>
You may have other rules below this and that’s fine. If you already have a redirect to SSL rewrite the top one may not be needed. So for our example the
#Redirect all non SSL URLs to use SSL aka HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
#Deny access to the wp-login page to all except the whitelisted IP's below.
<Files wp-login.php>
order deny,allow
Deny from all
# whitelist home IP address
allow from 1.2.3.4
#whitelist office IP Address
allow from 1.2.3.5
#whitelist vpn IP Address
allow from 1.2.3.6
#redirect the failed logins to get rickrolled
ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ
</Files>
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
<files wp-config.php>
order allow,deny
deny from all
</files>
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Now that we have the main wp-login page secured we also need to ensure that the admin area which is typically https://yourdomain.tld/wp-admin to also not allow anyone to visit it that is not explicitly whitelisted. We are now going to create a new file called .htaccess in the wp-admin folder. With the same below content whitelisting the desired IP’s and redirecting
/home/username/public_html/wp-admin/.htaccess
Order Deny,Allow
Deny from all
# whitelist home IP address
allow from 1.2.3.4
#whitelist office IP Address
allow from 1.2.3.5
#whitelist vpn IP Address
allow from 1.2.3.6
ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ
Once this is done to test you will need to either disconnect from the VPN and test visiting your WordPress login page from an IP that is not whitelisted. If
If you only have a static IP and cannot change it the other method to test is to comment out the rule for the location your currently using so the rule is there but not active. If it works you can use the control panel
#whitelist office IP Address
#allow from 1.2.3.5
You may be thinking this is awesome I want to be able to login to my WordPress without weird login URLs or annoying captchas but I don’t have a static IP or VPN.
Below is a premade .htaccess file for WordPress for our VPN users main .htaccess
#Redirect all non SSL URLs to use SSL aka HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
#Deny access to the wp-login page to all except the whitelisted IP's below.
<Files wp-login.php>
order deny,allow
Deny from all
# whitelist home IP address
#allow from 1.2.3.4
#whitelist office IP Address
#allow from 1.2.3.5
#whitelist vpn IP Address
#allow from 1.2.3.6
# softy1 NL Amsterdam
Allow from 93.158.203.109
#softy2 NL Amsterdam
Allow from 93.158.203.91
#softy3 US Miami
Allow from 144.202.38.159
#softy4 US Chicago
Allow from 8.12.16.99
#softy5 US New Jersey
Allow from 45.32.6.181
#softy6 US Seattle
Allow from 144.202.93.38
#softy7 US Los Angeles
Allow from 45.76.174.145
#softy8 AU Sydney
Allow from 149.28.162.174
#softy9 JP Tokyo
Allow from 202.182.105.46
#softy10 HK Singapore
Allow from 149.28.151.117
#softy11 FR Paris
Allow from 140.82.54.59
#softy12 DE Frankfurt
Allow from 104.238.167.21
#softy13 UK London
Allow from 45.63.101.64
#Softy14 NL Amsterdam
Allow from 93.158.203.100
#softy15 NL Amsterdam
Allow from 93.158.203.112
#softy16 CA Toronto
Allow from 155.138.147.206
</Files>
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
<files wp-config.php>
order allow,deny
deny from all
</files>
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
The below is the .htaccess file to use in the wordpress admin folder. Please note this same method will work for any CMS to protect an admin folder like Prestashop, Opencart, Magento, WHMCS, and etc… so pretty amazing way to secure these areas with very little effort.
Order Deny,Allow
Deny from all
# whitelist home IP address
#allow from 1.2.3.4
#whitelist office IP Address
#allow from 1.2.3.5
#whitelist vpn IP Address
#allow from 1.2.3.6
# softy1 NL Amsterdam
Allow from 93.158.203.109
#softy2 NL Amsterdam
Allow from 93.158.203.91
#softy3 US Miami
Allow from 144.202.38.159
#softy4 US Chicago
Allow from 8.12.16.99
#softy5 US New Jersey
Allow from 45.32.6.181
#softy6 US Seattle
Allow from 144.202.93.38
#softy7 US Los Angeles
Allow from 45.76.174.145
#softy8 AU Sydney
Allow from 149.28.162.174
#softy9 JP Tokyo
Allow from 202.182.105.46
#softy10 HK Singapore
Allow from 149.28.151.117
#softy11 FR Paris
Allow from 140.82.54.59
#softy12 DE Frankfurt
Allow from 104.238.167.21
#softy13 UK London
Allow from 45.63.101.64
#Softy14 NL Amsterdam
Allow from 93.158.203.100
#softy15 NL Amsterdam
Allow from 93.158.203.112
#softy16 CA Toronto
Allow from 155.138.147.206
ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ
Please note if you accidentally block yourself or forget to whitelist a new location.
Category:ProxySecuritywhmcsWordpress