Securing WordPress

In light of the latest attacks on WordPress sites everywhere I thought I should probably step up security a bit here. Not that I thought I had a bad password or anything but I still had the default admin account enabled. This attack is being conducted by a huge botnet of about 90,000 computers trying a large dictionary of passwords against the admin account. I wasn’t too concerned but the fact that it was targeting the admin account and seeing a huge spike in access to wp-login.php I still had an uneasy feeling in my gut.

First, the admin account is now disabled. They can target it all they want!.

Second, no one should need to access wp-login.php from anywhere in the world. So I updated .htaccess to only allow access from my IP address.

<Files "wp-login.php">
Order Deny,Allow
Deny from all
Allow from
ErrorDocument 403 ""

Third, installed the Limit Login Attempts plugin for WordPress which will automatically block an IP after so many failed login attempts.

Tags: , , , ,

Tuesday, April 16th, 2013 Security, Tips and Tricks

Leave a Reply


Comments are moderated due to spammers. Your comments will not appear until I review and approve them. If you left a question I will answer as best I can so be sure to check back.