In light of the latest attacks on WordPress sites everywhere I thought I should probably step up security a bit here. Not that I thought I had a bad password or anything but I still had the default
admin account enabled. This attack is being conducted by a huge botnet of about 90,000 computers trying a large dictionary of passwords against the
admin account. I wasn’t too concerned but the fact that it was targeting the
admin account and seeing a huge spike in access to
wp-login.php I still had an uneasy feeling in my gut.
admin account is now disabled. They can target it all they want!.
Second, no one should need to access
wp-login.php from anywhere in the world. So I updated
.htaccess to only allow access from my IP address.
<Files "wp-login.php"> Order Deny,Allow Deny from all Allow from xxx.xxx.xxx.0/24 ErrorDocument 403 "http://www.google.com" </Files>
Third, installed the Limit Login Attempts plugin for WordPress which will automatically block an IP after so many failed login attempts.