In light of the latest attacks on WordPress sites everywhere I thought I should probably step up security a bit here. Not that I thought I had a bad password or anything but I still had the default admin account enabled. This attack is being conducted by a huge botnet of about 90,000 computers trying a large dictionary of passwords against the admin account. I wasn’t too concerned but the fact that it was targeting the admin account and seeing a huge spike in access to wp-login.php I still had an uneasy feeling in my gut.

First, the admin account is now disabled. They can target it all they want! Second, no one should need to access wp-login.php from anywhere in the world. So I updated .htaccess to only allow access from my IP address.

<Files "wp-login.php">
  Order Deny,Allow
  Deny from all
  Allow from xxx.xxx.xxx.xxx/32
  ErrorDocument 403 "https://www.google.com"
</Files>

Third, installed the Limit Login Attempts plugin for WordPress which will automatically block an IP after so many failed login attempts.

Related Posts

Leave a Reply