Help with limiting admin area wordpress

2 replies
Hi all, I having been trying to limit my admin area using .htcccess the issue i have have it that it doesn't seem to work fully.
This is the code i'm using.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^ip\.ip\.ip\.ip$
RewriteRule ^(.*)$ - [R=403,L]

I have placed it in my .htaccess, when i test it, it appears to work if i don't include my Ip range it blocks access. Great!
However i'm still getting attacks which i can't understand, is the code wrong or in the wrong folder does anyone have any idea what i can do, or is this not a bullet proof method. any help much appreciated. Hope i have given enough information.
#admin #area #limiting #wordpress
  • Profile picture of the author Graham Maddison
    Sorry, I can't help you with the code, but from my personal experience, the "Wordfence" security plugin should do all you need it to do in stopping attempted unauthorised access.
    Trade without Boundaries.
    Start with $30 Trading Bonus.
    No Deposit Required
    {{ DiscussionBoard.errors[10556990].message }}
    • Profile picture of the author kilgore
      At first glance (and without actually testing it myself) the code looks right. Have you tried leaving the IP Address in and browsing your site from another IP address?

      Also, what does your apache access log tell you? When other people (or bots) are trying to access your admin page are they getting a 403?

      Finally, what exactly are the nature of the attacks? It could be that they're trying to attack you using another vector than just accessing the wp-admin. I think what you're trying to do is a good practice -- I do the same kind of thing though using my load balancer configuration instead of .htaccess, though it comes to the same thing in the end. That said, while this is a good practice, you can't expect it to solve all your security issues in one go.

      I don't know anything about it, but it may be worth looking into the Wordfence (or other) plugin as recommended by the poster above. But even with a plugin, you shouldn't assume that you're 100% safe.

      You also might look at using something like Cloudflare which has a Web Application Firewall that helps block suspicious activity. (I should note that I don't use CloudFlare myself as I've built my own WAF, so I can't vouch for it -- and there are plenty of other services than CloudFlare that do the same kind of thing.)

      And don't forget: backup, backup, backup, backup! (And do not rely on your webhost for backups!)

      The upshot is security is a pain in the butt -- and you should never rely on just one technique to solve all your problems. Still, I can see you're already taking a proactive approach, so well done so far!
      {{ DiscussionBoard.errors[10557725].message }}

Trending Topics