Cet article a été rédigé par Eric Sizemore, développeur web, programmeur et spécialiste des noms de domaine.
À la lumière des événements récents, toute personne utilisant WordPress est apparemment susceptible d’être victime de ce que l’on appelle le “Distributed WordPress admin account cracking” (piratage distribué des comptes d’administration de WordPress). Vous pouvez consulter cet article pour plus d’informations. Cet article vise à fournir une couche supplémentaire de sécurité à la fois à votre dossier wp-admin, et au fichier wp-login.php.
Étape 1 – Déterminer qui aura l’accès
Avant tout, cette couche de sécurité supplémentaire consiste à bloquer toutes les adresses IP, à l’exception de quelques-unes d’entre elles. Si votre IP est dynamique, ce n’est peut-être pas la meilleure option pour vous. Si vous autorisez l’accès à votre blog à un grand nombre d’utilisateurs, cela pourrait prendre beaucoup de temps. Si vous êtes le seul auteur du blog et que vous n’autorisez de toute façon pas les inscriptions, cela sera plutôt simple.
Étape 2 – Création du fichier .htaccess
Tout d’abord, obtenez votre adresse IP. Allez sur IPChicken et notez votre adresse IP. Ensuite, téléchargez les fichiers .htaccess qui ont été créés pour cet article.
Une fois l’archive extraite, vous devriez voir un fichier .htaccess, et un dossier wp-admin avec un fichier .htaccess à l’intérieur. Ouvrez le fichier .htaccess principal et vous devriez voir :
<Files wp-login.php>
Ordre Refuser, Autoriser
Refuser à tous
Autoriser à partir de xx.xx.xx.xx
</Files>
Modifiez la ligne “Allow from” pour qu’elle corresponde à votre adresse IP. Pour ajouter d’autres adresses IP, ajoutez une nouvelle ligne avec “Allow from” et l’adresse IP suivante, et ainsi de suite. Il est probable que vous disposiez déjà d’un fichier .htaccess à la racine de votre dossier WordPress. Si c’est le cas, éditez ce fichier et copiez-collez le contenu de votre fichier .htaccess édité à partir du fichier zip, puis sauvegardez/téléchargez.
Ouvrez maintenant le fichier .htaccess dans le dossier wp-admin du zip. Vous devriez voir quelque chose comme :
Ordre Refuser, Autoriser
Refuser à tous
Autoriser à partir de xx.xx.xx.xx
Faites comme vous l’avez fait ci-dessus. Et ajoutez toutes les adresses IP supplémentaires que vous souhaitez autoriser dans la zone wp-admin. Il est probable que vous n’ayez pas de fichier .htaccess dans votre dossier wp-admin, alors téléchargez simplement le fichier .htaccess édité depuis le zip dans votre dossier wp-admin.
Étape 3 – Vous avez terminé
Et c’est tout ! 🙂
No download files.
Perfect
I facing not acceptable issue by one ip, but it’s working on other IP any solutions
You may want to contact your hosting support about this.
I knkw this website gives quality depending posts and other material, is there aany other
website which presents such data in quality?
Does not work. I got: Internal Server Error
You may want to contact your hosting support about this.
Thanks. Just what I was looking for
We are glad you found this helpful 🙂
hi all,
I have ip restriction in my site for wp-login.php in .htaccess. but, my customers can’t logout, showing error for ip restriction. anyone give me a best solution for only ip restriction for admin login page.
What is the code for the restriction you are using? Was it added to the wp-admin folder only?
There isn’t a different login for admin. The problem with the logging out, is that WP uses wp-login.php for both logging in *and* logging out.
Best option is to create a different logout page for customers.
Beware: If your WordPress website uses Woocommerce then the code below will block the new order emails from being sent!
Hi, Thanks for the Helpfull Article, I am able to add an additional security layer to my website.
But I have 1 question, this will only allow my IP to access the WP-admin dashboard, etc. Does it affect the plugins or files, etc, I mean can they need or don’t need the connection to the wp-login page?
This code is specifically for blocking access to the login page. That said, if the plugins that are installed were coded correctly, then if a visitor can’t login they shouldn’t have access to the admin pages.
Didnt work for me.
This works, found it in one of my old projects 🙂
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^95\.154\.22\.86$
RewriteCond %{REMOTE_ADDR} !^77\.243\.128\.133$
RewriteRule ^(.*)$ – [R=403,L]
The Rewrite option works for me but i can’t access to the admin web page from localhost
This does not work on Apache 2.4 because order allow,deny is depreciated.
Instead you must use mod_rewrite.c.
Could anyone help me with which IP are we supposed to enter in the htaccess file. Is it the Public IP that I can see when I google search for my IP, or is the static one
Quite useful regarding security. I recently encountered few attacks on my wp site and I am looking for a good solution.
After leaving this system in place for a couple months now, I’ve now been able to relax. I does seem to work as I had been hacked multiple times before too.
I use an ip range instead of a specific ip in my .htaccess and it works fantastic. Thank you so much.
Glad to hear it’s working out for you. 😀
Thanks for the info
I was very frustrated with my blog got hacked fourth time.
I wanted to be 100% sure to stop all bot attracts.
in last few days I tried many plugins including askapache but it is not working fine because of some problem with my hosting.
Finally I got a custom solution, I put an .htaccess file in wp-admin folder and IP locked it to open only with my IP range. and it works. Now no bot can try to check out my options and setting files. Unless the bot is in my PC itself.
: )
Regards
But I access my site from all sorts of places, including my cellphone.
What I’d really like is to restrict everywhere outside of North America and that would probably cut down on a lot of hacking wouldn’t it?
Yes, it’s still open but a lot less wide than it was previously.
Anyone try anything like this?
Maybe, but you’d need to integrate it with a geo IP-to-location database which might be a little overkill for something like this.
If you login from a lot of places/IPs you might want to look into something like Login Lockdown.
The login lockdown plugin is also nice. Limits and then bans failed login attempts. Kind of like IPtables for wp.
http://wordpress.org/extend/plugins/login-lockdown/
We added it to our pre-install for page.ly customers so it will be activated be default after signup.
PS.. love the new themelab.com design.
That sounds like it could be pretty effective. Especially if you login at a lot of different locations with different IP addresses, it may not be practical to add a .htaccess rule for each one.
And glad you like the design!
@Elizabeth: No problem! Let me know how it works out for you.
Thanks so much for this.
I’ve been experiencing exploit attempts on several of my wordpress websites and have been using ht.access to block the individual IP’s. But this seems much more effective. Hope it works well.
Thanks Leland.
@badcat: That’s a good question but I don’t think you’ll need to repeat the process since these .htaccess files aren’t included with the actual upgrade.
Will you need to repeat this process after a new version of WordPress comes out?
Or would it make more sense to deny the wp-admin folder in the site root .htaccess file since that doesn’t get updated when WP updates it’s core?