WPHighEd

Quick Tip: Restricting Access to WordPress Logins

VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

1441198_72790876

As you’ve most likely noticed over the past few weeks/months, there are a lot of brute force attack attempts happening pretty regularly. Bots are trying over and over again to login to just about any WordPress site, using any credentials they can come up with. While there are many ways to combat this, one of the simplest is to restrict access to the wp-login.php file altogether, only allowing specific people to get to it.

How We Did It

At the University of Mary Washington, we’re serving our public pages through nginx, which acts as a proxy cache server to the apache server that’s running our WordPress installation. Since our WordPress installation is actually running on apache, we were able to make our changes through .htaccess. However, because we’re running a proxy server in front of apache, we couldn’t use standard IP addresses when checking to see where our users were coming from, as nginx tells apache that everyone is coming from a local IP.

Instead, we had to use the X-Forwarded-For header to see what IP address they used to reach nginx. To do so, we also needed to use an environment variable within .htaccess.

Our code looks similar to the code sample below. We placed this code at the top of our main .htaccess file.

See the gist on github.

Important Notes

How Are You Restricting Access?

Do you have a different server configuration? If so, I’d love for you to share how you’re restricting login access. Let us know in the comments below.

VN:F [1.9.22_1171]
please wait...
Rating: 5.0/5 (1 vote cast)
Exit mobile version