In light of the latest attacks on WordPress sites everywhere I thought I should probably step up security a bit here. Not that I thought I had a bad password or anything but I still had the default admin account enabled. This attack is being conducted by a huge botnet of about 90,000 computers trying a large dictionary of passwords against the admin account. I wasn’t too concerned but the fact that it was targeting the admin account and seeing a huge spike in access to wp-login.php I still had an uneasy feeling in my gut.
First, the admin account is now disabled. They can target it all they want! Second, no one should need to access wp-login.php from anywhere in the world. So I updated .htaccess to only allow access from my IP address.
<Files "wp-login.php"> Order Deny,Allow Deny from all Allow from xxx.xxx.xxx.xxx/32 ErrorDocument 403 "https://www.google.com" </Files>
Third, installed the Limit Login Attempts plugin for WordPress which will automatically block an IP after so many failed login attempts.