Esta é uma postagem de convidado de Eric Sizemore, um desenvolvedor da Web, programador e domainer.
À luz dos eventos recentes, qualquer pessoa que use o WordPress está aparentemente suscetível ao que está sendo chamado de “Distributed WordPress admin account cracking”. Você pode ver este artigo para obter mais informações. Esta postagem tem como objetivo fornecer uma camada extra de segurança para sua pasta wp-admin e para o arquivo wp-login.php.
Etapa 1 – Determinar quem terá acesso
Em primeiro lugar, essa camada extra de segurança envolve o bloqueio de todos os IPs, exceto alguns selecionados. Se o seu IP for dinâmico, talvez essa não seja a melhor opção para você. Se você tiver muitos usuários que permitem acesso ao seu blog, isso poderá consumir muito tempo. Se você for o único autor do blog e não permitir registros, isso será bastante simples.
Etapa 2 – Criação do arquivo .htaccess
Primeiro, vamos obter seu endereço IP. Vá até IPChicken e anote seu endereço IP. Em seguida, baixe os arquivos .htaccess que foram criados para esta postagem.
Depois de extrair o arquivo, você verá um arquivo .htaccess e uma pasta wp-admin com um arquivo .htaccess dentro dela. Abra o arquivo .htaccess principal e você verá:
<Files wp-login.php>
Ordem Negar,Permitir
Negar de todos
Permitir de xx.xx.xx.xx.xx
</Files>
Edite a linha “Allow from” para refletir seu endereço IP. Para adicionar mais endereços IP, adicione uma nova linha com “Allow from” e o próximo endereço IP, e assim por diante. Agora, é provável que você já tenha um arquivo .htaccess na pasta raiz do WordPress. Nesse caso, edite o arquivo e copie e cole o conteúdo do arquivo .htaccess editado do zip e salve/recarregue.
Agora, abra o arquivo .htaccess na pasta wp-admin do zip. Você deverá ver algo como:
Ordem Negar,Permitir
Negar de todos
Permitir de xx.xx.xx.xx.xx
Faça como você fez acima. E adicione os ip’s adicionais que você deseja permitir na área wp-admin. É provável que você não tenha um arquivo .htaccess na pasta wp-admin, portanto, basta carregar o arquivo .htaccess editado do zip na pasta wp-admin.
Etapa 3 – Você terminou
E isso é tudo! 🙂
No download files.
Perfect
I facing not acceptable issue by one ip, but it’s working on other IP any solutions
You may want to contact your hosting support about this.
I knkw this website gives quality depending posts and other material, is there aany other
website which presents such data in quality?
Does not work. I got: Internal Server Error
You may want to contact your hosting support about this.
Thanks. Just what I was looking for
We are glad you found this helpful 🙂
hi all,
I have ip restriction in my site for wp-login.php in .htaccess. but, my customers can’t logout, showing error for ip restriction. anyone give me a best solution for only ip restriction for admin login page.
What is the code for the restriction you are using? Was it added to the wp-admin folder only?
There isn’t a different login for admin. The problem with the logging out, is that WP uses wp-login.php for both logging in *and* logging out.
Best option is to create a different logout page for customers.
Beware: If your WordPress website uses Woocommerce then the code below will block the new order emails from being sent!
Hi, Thanks for the Helpfull Article, I am able to add an additional security layer to my website.
But I have 1 question, this will only allow my IP to access the WP-admin dashboard, etc. Does it affect the plugins or files, etc, I mean can they need or don’t need the connection to the wp-login page?
This code is specifically for blocking access to the login page. That said, if the plugins that are installed were coded correctly, then if a visitor can’t login they shouldn’t have access to the admin pages.
Didnt work for me.
This works, found it in one of my old projects 🙂
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^95\.154\.22\.86$
RewriteCond %{REMOTE_ADDR} !^77\.243\.128\.133$
RewriteRule ^(.*)$ – [R=403,L]
The Rewrite option works for me but i can’t access to the admin web page from localhost
This does not work on Apache 2.4 because order allow,deny is depreciated.
Instead you must use mod_rewrite.c.
Could anyone help me with which IP are we supposed to enter in the htaccess file. Is it the Public IP that I can see when I google search for my IP, or is the static one
Quite useful regarding security. I recently encountered few attacks on my wp site and I am looking for a good solution.
After leaving this system in place for a couple months now, I’ve now been able to relax. I does seem to work as I had been hacked multiple times before too.
I use an ip range instead of a specific ip in my .htaccess and it works fantastic. Thank you so much.
Glad to hear it’s working out for you. 😀
Thanks for the info
I was very frustrated with my blog got hacked fourth time.
I wanted to be 100% sure to stop all bot attracts.
in last few days I tried many plugins including askapache but it is not working fine because of some problem with my hosting.
Finally I got a custom solution, I put an .htaccess file in wp-admin folder and IP locked it to open only with my IP range. and it works. Now no bot can try to check out my options and setting files. Unless the bot is in my PC itself.
: )
Regards
But I access my site from all sorts of places, including my cellphone.
What I’d really like is to restrict everywhere outside of North America and that would probably cut down on a lot of hacking wouldn’t it?
Yes, it’s still open but a lot less wide than it was previously.
Anyone try anything like this?
Maybe, but you’d need to integrate it with a geo IP-to-location database which might be a little overkill for something like this.
If you login from a lot of places/IPs you might want to look into something like Login Lockdown.
The login lockdown plugin is also nice. Limits and then bans failed login attempts. Kind of like IPtables for wp.
http://wordpress.org/extend/plugins/login-lockdown/
We added it to our pre-install for page.ly customers so it will be activated be default after signup.
PS.. love the new themelab.com design.
That sounds like it could be pretty effective. Especially if you login at a lot of different locations with different IP addresses, it may not be practical to add a .htaccess rule for each one.
And glad you like the design!
@Elizabeth: No problem! Let me know how it works out for you.
Thanks so much for this.
I’ve been experiencing exploit attempts on several of my wordpress websites and have been using ht.access to block the individual IP’s. But this seems much more effective. Hope it works well.
Thanks Leland.
@badcat: That’s a good question but I don’t think you’ll need to repeat the process since these .htaccess files aren’t included with the actual upgrade.
Will you need to repeat this process after a new version of WordPress comes out?
Or would it make more sense to deny the wp-admin folder in the site root .htaccess file since that doesn’t get updated when WP updates it’s core?