In light of the latest attacks on WordPress sites everywhere I thought I should probably step up security a bit here. Not that I thought I had a bad password or anything but I still had the default admin account enabled. This attack is being conducted by a huge botnet of about 90,000 computers trying a large dictionary of passwords against the admin account. I wasn’t too concerned but the fact that it was targeting the admin account and seeing a huge spike in access to wp-login.php I still had an uneasy feeling in my gut.

First, the admin account is now disabled. They can target it all they want! Second, no one should need to access wp-login.php from anywhere in the world. So I updated .htaccess to only allow access from my IP address.

<Files "wp-login.php">
  Order Deny,Allow
  Deny from all
  Allow from
  ErrorDocument 403 ""

Third, installed the Limit Login Attempts plugin for WordPress which will automatically block an IP after so many failed login attempts.

Related Posts

Leave a Reply