9 Years Ago

Securing Your Wordpress Site

So today, I posted an editorial on my website (Fluffyshotme Photography) that I wrote because I felt very strongly about the subject.

The result has been thousands of hits on my website since this afternoon, which is normally a good thing.

Tonight, I started receiving Brute Force attacks on my site and I started getting lockout notifications rolling into my phone.

I ended up limiting access to my login page with my htaccess file, but what I wanted to share with everyone is that most of the login attempts are using the Username "Admin", "Support" and "Test". I do not use any of these Usernames, but thought I would take pause for a moment and remind everyone who uses WordPress that using a secure password is only half of the battle, you need to use a Username that no one is likely to guess.

So far, so good on my site, but I can tell you that I am now on someone's list now, so I will always have to hide behind the htaccess file.

I hope that sharing this experience helps others who use WordPress to keep their site more secure.

If you are looking for the syntax of how to limit logins to your IP by editing your htaccess file, here is a sample. You simply paste it at the beginning of your htaccess file and change the IP address of 123.123.123.123 to the addresses that you want to allow; add a new line for each address that you want to permit (Home, Work, School, etc...)

# This code blocks IP address but yours
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
RewriteRule ^(.*)$ - [R=403,L]
# Ends code to block ip

Reply Order

Post Reply

David Gordon

9 Years Ago

David,

I get lots of login attacks from bots in Russia, Ukraine, China, etc as well as from various anonymous bots on hosted sites on Amazon AWS. Its too difficult to try to keep up with them manually so I'll be incorporating that code on my personal WP site. Thanks for posting.

David Morefield

9 Years Ago

Dave, just keep in mind that you will have to edit your HTAccess file anytime your IP changes or you are out of town. My current HTaccess file has probably 30 addresses and 27 of them are commented out. When I go to one of those other locations, I just uncomment that line and I am good to go. For example

#Happy Teahouse on Richmond
#RewriteCond %{REMOTE_ADDR} !^123.123.123.123$

If I go back there and use their wifi with a client, I uncomment that line to allow myself to be able to login for only the time that I am there. I just remove the # from the beginning of the line with the address where I am.

#Happy Teahouse on Richmond
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$

Suzanne Powers

9 Years Ago

What is an "attack" by a bot? I am presently on Google Blogger but would also like to be on Wordpress.

Dan Turner

9 Years Ago

I use the Limit Login Attempts plugin on all of my WP sites. It blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

I set mine at three or four attempts. The plugin emails me an alert if additional attempts are made.

Dan Turner
Dan Turner's Seven Keys to Selling Art Online

David Morefield

9 Years Ago

Dan, I also use Limit Login Attempts, but last night I got over 1,000 e-mails from locked out sites. That got a little old, so I decided to go back to the nuclear option.

I used to have HTaccess on my site, like I do for my clients, but while I was at Word Camp in April, I commented out the section blocking access to the admin page. It has been fine until I started getting hammered last night.

This discussion is closed.