Securing Your Wordpress Site
So today, I posted an editorial on my website (Fluffyshotme Photography) that I wrote because I felt very strongly about the subject.
The result has been thousands of hits on my website since this afternoon, which is normally a good thing.
Tonight, I started receiving Brute Force attacks on my site and I started getting lockout notifications rolling into my phone.
I ended up limiting access to my login page with my htaccess file, but what I wanted to share with everyone is that most of the login attempts are using the Username "Admin", "Support" and "Test". I do not use any of these Usernames, but thought I would take pause for a moment and remind everyone who uses WordPress that using a secure password is only half of the battle, you need to use a Username that no one is likely to guess.
So far, so good on my site, but I can tell you that I am now on someone's list now, so I will always have to hide behind the htaccess file.
I hope that sharing this experience helps others who use WordPress to keep their site more secure.
If you are looking for the syntax of how to limit logins to your IP by editing your htaccess file, here is a sample. You simply paste it at the beginning of your htaccess file and change the IP address of 123.123.123.123 to the addresses that you want to allow; add a new line for each address that you want to permit (Home, Work, School, etc...)
# This code blocks IP address but yours
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
RewriteRule ^(.*)$ - [R=403,L]
# Ends code to block ip