How to secure WordPress blog admin area on dedicated machines

I have written on WordPress security in the past and listed some plugins that cover popular security issues. I still use Simple Login Log and prevent admin panel access from unknown IPs on most of my sites, but I have found another way to strengthen WP installation.

Typical solution will block admin folder only. This is good enough, but it will not prevent someone from using login page to brute-forcing your password. As I have found out the hard way, this might cause serious problems.

Recently, one of my WP blog servers had connection problems. They were caused by someone trying to guess admin user’s password couple tries per second. Simple Login Log tracks such things and increases the load even further (as it writes such entries to db). This was complicated further by spam bots (I get around 2500 spam comments per day on that blog).

So, how to  prevent this from happening, preferably on all blogs hosted on the same server?

Interestingly, you can add allow/deny directives for single file (or group of files) as well, and they work on server-basis if added in the main config file (/etc/httpd/conf.d/httpd.conf in my case).

The rules look like this :

<files wp-login.php>
Order Deny,Allow
Deny from All
allow from
allow from

There are 2 ways to white-list IPs.
XXX.XXX or XXX.XXX.XXX – subnet where you login from without fixed IPs,
and are ip you login from.
Now each attempt to brute-force your password will result in adding 2 lines to log files : one to access log and one to error log. It will not be processed by PHP.
Additionally, one could use this way to block some popular (Chineese mostly) spam bot IPs:

<Files wp-comments-post.php>
Order Allow,Deny
allow from all
deny from 113.212.70
deny from 125.112.31
deny from 125.112.25
deny from 125.112.29
deny from 125.112.28
deny from 125.112.27
deny from 125.112.26
deny from 123.156
deny from 218.72
deny from 117.21.224
deny from 117.21.225
deny from 117.21.226
deny from 117.21.227
deny from 60.182.153
deny from 60.182.154
deny from 60.182.155
deny from 60.182.156
deny from 60.182.152
deny from 60.182.157
deny from 60.182.158

We write out bad ips and networks here. I do not block networks globally in .htaccess file to prevent errors on my part. However, I can survive without comments from these 🙂 These rules reduced spam load by 3/4.

Speak Your Mind