Este artículo ha sido escrito por Eric Sizemore, desarrollador web, programador y propietario de dominios.
A la luz de los recientes acontecimientos, cualquier persona que utilice WordPress es aparentemente susceptible a lo que se llama “Distributed WordPress admin account cracking”. Puedes consultar este artículo para obtener más información. Este post tiene como objetivo proporcionar una capa extra de seguridad tanto a su carpeta wp-admin, como al archivo wp-login.php.
Paso 1 – Determinar quién tendrá acceso
En primer lugar, esta capa extra de seguridad implica bloquear todas las IP excepto unas pocas. Si tu IP es dinámica, puede que no sea la mejor opción para ti. Si tiene muchos usuarios a los que permite el acceso a su blog, esto podría llevarle mucho tiempo. Si eres el único autor en el blog, y no permites registros de todos modos – esto será bastante simple.
Paso 2 – Creación de .htaccess
En primer lugar, vamos a obtener su dirección IP. Ve a IPChicken y anota tu dirección IP. A continuación, descargue los archivos .htaccess que se han creado para este post.
Una vez que extraigas el archivo, deberías ver un archivo .htaccess y una carpeta wp-admin con un archivo .htaccess en su interior. Abra el principal archivo .htaccess y usted debe ver:
<Archivos wp-login.php>
Orden Denegar,Permitir
Denegar desde todos
Permitir desde xx.xx.xx.xx
</Archivos>
Edite la línea “Permitir desde” para reflejar su dirección IP. Para añadir más direcciones IP, añada una nueva línea con “Permitir desde” y la siguiente dirección IP, y así sucesivamente. Ahora, lo más probable es que ya tenga un archivo .htaccess en su carpeta raíz de WordPress. Si es así, edite el archivo y copie y pegue el contenido de su archivo .htaccess editado del zip, y guarde/recargue.
Ahora abra el archivo .htaccess dentro de la carpeta wp-admin del zip. Usted debe ver algo como:
Orden Denegar,Permitir
Denegar desde todos
Permitir desde xx.xx.xx.xx
Haga lo mismo que arriba. Y añada cualquier ip extra que quiera permitir en el área de wp-admin. Lo más probable es que usted no tiene un archivo .htaccess en su carpeta wp-admin, por lo que acaba de subir el archivo .htaccess editado desde el zip a su carpeta wp-admin.
Paso 3 – Listo
¡Y eso es todo! 🙂
No download files.
Perfect
I facing not acceptable issue by one ip, but it’s working on other IP any solutions
You may want to contact your hosting support about this.
I knkw this website gives quality depending posts and other material, is there aany other
website which presents such data in quality?
Does not work. I got: Internal Server Error
You may want to contact your hosting support about this.
Thanks. Just what I was looking for
We are glad you found this helpful 🙂
hi all,
I have ip restriction in my site for wp-login.php in .htaccess. but, my customers can’t logout, showing error for ip restriction. anyone give me a best solution for only ip restriction for admin login page.
What is the code for the restriction you are using? Was it added to the wp-admin folder only?
There isn’t a different login for admin. The problem with the logging out, is that WP uses wp-login.php for both logging in *and* logging out.
Best option is to create a different logout page for customers.
Beware: If your WordPress website uses Woocommerce then the code below will block the new order emails from being sent!
Hi, Thanks for the Helpfull Article, I am able to add an additional security layer to my website.
But I have 1 question, this will only allow my IP to access the WP-admin dashboard, etc. Does it affect the plugins or files, etc, I mean can they need or don’t need the connection to the wp-login page?
This code is specifically for blocking access to the login page. That said, if the plugins that are installed were coded correctly, then if a visitor can’t login they shouldn’t have access to the admin pages.
Didnt work for me.
This works, found it in one of my old projects 🙂
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^95\.154\.22\.86$
RewriteCond %{REMOTE_ADDR} !^77\.243\.128\.133$
RewriteRule ^(.*)$ – [R=403,L]
The Rewrite option works for me but i can’t access to the admin web page from localhost
This does not work on Apache 2.4 because order allow,deny is depreciated.
Instead you must use mod_rewrite.c.
Could anyone help me with which IP are we supposed to enter in the htaccess file. Is it the Public IP that I can see when I google search for my IP, or is the static one
Quite useful regarding security. I recently encountered few attacks on my wp site and I am looking for a good solution.
After leaving this system in place for a couple months now, I’ve now been able to relax. I does seem to work as I had been hacked multiple times before too.
I use an ip range instead of a specific ip in my .htaccess and it works fantastic. Thank you so much.
Glad to hear it’s working out for you. 😀
Thanks for the info
I was very frustrated with my blog got hacked fourth time.
I wanted to be 100% sure to stop all bot attracts.
in last few days I tried many plugins including askapache but it is not working fine because of some problem with my hosting.
Finally I got a custom solution, I put an .htaccess file in wp-admin folder and IP locked it to open only with my IP range. and it works. Now no bot can try to check out my options and setting files. Unless the bot is in my PC itself.
: )
Regards
But I access my site from all sorts of places, including my cellphone.
What I’d really like is to restrict everywhere outside of North America and that would probably cut down on a lot of hacking wouldn’t it?
Yes, it’s still open but a lot less wide than it was previously.
Anyone try anything like this?
Maybe, but you’d need to integrate it with a geo IP-to-location database which might be a little overkill for something like this.
If you login from a lot of places/IPs you might want to look into something like Login Lockdown.
The login lockdown plugin is also nice. Limits and then bans failed login attempts. Kind of like IPtables for wp.
http://wordpress.org/extend/plugins/login-lockdown/
We added it to our pre-install for page.ly customers so it will be activated be default after signup.
PS.. love the new themelab.com design.
That sounds like it could be pretty effective. Especially if you login at a lot of different locations with different IP addresses, it may not be practical to add a .htaccess rule for each one.
And glad you like the design!
@Elizabeth: No problem! Let me know how it works out for you.
Thanks so much for this.
I’ve been experiencing exploit attempts on several of my wordpress websites and have been using ht.access to block the individual IP’s. But this seems much more effective. Hope it works well.
Thanks Leland.
@badcat: That’s a good question but I don’t think you’ll need to repeat the process since these .htaccess files aren’t included with the actual upgrade.
Will you need to repeat this process after a new version of WordPress comes out?
Or would it make more sense to deny the wp-admin folder in the site root .htaccess file since that doesn’t get updated when WP updates it’s core?