Pin It

6 Ways to Protect your WordPress Against Attack

This entry is part 1 of 1 in the series 6 Ways to Secure your WordPress
  • 6 Ways to Protect your WordPress Against Attack

Over the next series of articles, I will show you some ways to protect your WordPress against attack. If you are running a WordPress site you have probably had some experience with hacks or attempted hacks. They can be merely a nuisance or they can be pretty dangerous – if the hacker manages to do something like add a phishing scamA Phishing Scam is the act of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity, like a bank. to your site.

In this first article I’m going to show you, step-by-step, how to protect your WordPress against attack by locking down your WordPress admin login with some .htaccessA .htaccess file is often used to specify security restrictions for a directory, hence the filename “access”. rules to prevent unauthorized login attempts.

6 Ways to Keep your WordPress Safe from Attack

Protect your WordPress Against Attack

WordPress wp-login.php Brute Force Attack

Since April 2013, there have been large scale WordPress wp-login.php brute force attacks coming from a large amount of IP addresses spread across the world.

Krebs on Security reported back in mid-April that the growing botnet was made up of about 90,000 web servers, attempting to “brute force attack” individual wordpress site using the rudimentary password “admin.” With the username out of the way, they would continue to hammer on the wp-login trying to guess the password in order to get into the WordPress admin dashboard. Once in, they are free to do their dirty work. Article three talks about how to stifle them if the manage to get in.

With some pretty awesome cooperation among hosting companies and security services, the attacks slowed… but lately the attacks have picked up again, which is why I decided to write this series.

Over the next 6 or so days I’ll be talking about the following ways protect your WordPress against attack – ways that can secure your WordPress sites from nuisance and dangerous hacks.

  1. How to Bullet Proof WordPress admin login with .htaccess
  2. How to Prevent Unauthorized WordPress wp-admin and wp-login.php Login Attempts
  3. How to Disable the Theme and Plugin Editors in WordPress
  4. How to Update Your WordPress Username and Password
  5. How to Add some Salt to your WordPress for Security
  6. How to Keep everything up to Date

Bullet Proof your WordPress Admin Login Using .htaccess

Now, let’s protect your WordPress against attack…

One of the ways that this most recent brute force attack that is taking place relies on sending direct POST requests right to your wp-login.php script. So what does this mean in English? It means that the login attempts aren’t actually happening on your wp-login.php page. Think of it this way, when you log in to your WordPress site, you go to the page and fill out the form and hit submit – the bots don’t do it that way, they bypass the form and send the request directly. The following steps will take away their ability to do this by only allowing log ins through the form on your site.

What we’ll do is require that a POST request can only come from your domain name, ensures a normal human login attempt instead of an automated bot doing it. Just like magic…

Now follow the steps below to limit login attempts to a proper referer:

  1. Login to your cPanel.
  2. Under the Files section, click on File Manager.
  3. Select the Document Root for your domain.
  4. Ensure that Show Hidden Files is selected.
  5. Then click Go.
    Securing WordPress
  6. Right-click on the .htaccess file and select Edit.
    Securing WordPress against hacks
  7. On the next pop-up screen (a text editor encoding dialog box) click on Edit.
    Securing WordPress against hacks
  8. Edit your .htaccess file.On the edit screen you might see something like this:

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /internet-marketing/
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /internet-marketing/index.php [L]

    # END WordPress

  9. Paste the following code

    When you paste the code, make sure you paste it above any other code in .htaccess documentThis will protect your WordPress site by only allowing login requests that come directly from your site (domain name). When you add the following code, replace yoursite\.com with your own domain name.

    Since the brute force attacks rely on sending direct POST requests to your wp-login.php script, we’ll requre that a POST request can only come from your domain name.

    This will help ensure that it is a human trying to log in instead of an automated bot trying.


    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !^http://(.*)?yoursite\.com [NC]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteRule ^(.*)$ - [F]
    </IfModule>

    Your .htaccess document should now look something like this:


    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !^http://(.*)?yoursite\.com [NC]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteRule ^(.*)$ - [F]
    </IfModule>

    # BEGIN WordPressRewriteEngine On
    RewriteBase /internet-marketing/
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /internet-marketing/index.php [L]# END WordPress

  10. Finally, click on Save Changes button at the top-right of the editor.

You should now have successfully blocked unauthorized WordPress admin login attempts utilizing .htaccess rules.

Next up: “How to Prevent Unauthorized WordPress wp-admin and wp-login.php Login Attempts”

Please leave any comments or questions in the comment area below.

Share |

Connect with me on Google+, Facebook, Twitter & Instagram

Comments

  1. Very nice tip on how to protect your WordPress site! Spam and Hackers are the worst.. Have a great day on purpose!

  2. 7th way use “Securitron” plugin for WordPress! http://www.b2beservices.com/files/Securitron_v1_0_1.zip

Speak Your Mind

*