WordPress: Login Page Security

User of WordPress experience large amount of login tries everyday. This is to prevent such malicious attacks by defining a white list of allowed IP addresses…

This example deals with both IPv4 and IPv6, and it assumes that the web server, where WordPress runs, is Apache.

The login page is initiated by requesting the wp-login.php file. In the root directory of WordPress, there exists a .htaccess file, which can be modified as follows:

# After the following "RewriteEngine" rule,
RewriteEngine On
# insert the following lines:
# Protect wp-login

Order Deny,Allow
Deny from all
Allow from ::1/128               # IPv6 localhost (CIDR mask is mandatory)
Allow from          # IPv4 localhost (CIDR mask is mandatory)
Allow from A.B.C.D               # Insert as many IPs
Allow from aaaa:bbbb:cccc::/64   # or networks as required
# Alternatively modify the ErrorDocument
ErrorDocument 403 /pathToTheErrorDocument/error.php

If the alternative ErrorDocument is specified, it can be fine tuned as follows:

Such error document will forward the invalid (IP-sourced) requests to the default WordPress page.

This entry was posted in Linux, Security, Server and tagged , , , , , . Bookmark the permalink.