Protect wordpress admin folder

  1. DigiP


    I think each WordPress site owner should find a way to protect their own login portals, whether it be htaccess based for those that have it, or plug-in based for those who don't.

    I personally, have /wp-admin inaccessible by anyone other than my own IP. I leave my wp-login.php file open to the public though, but I could lock that out as well via htaccess to only my IP, which I do for some of my clients.

    The reason I lock /wp-admin/ but leave the wp-login.php file open, is I also have another plug-in I wrote to keep track of people trying to brute force their way into my site, something I think WordPress should consider making part of its core, that if a login attempt was posted against the login page, an email is sent to the admin with the username they tried.

    If like me, you don't have a user called Admin, but get 30 emails in a row with someone trying that to login with Admin, well, you are getting attacked, and should ban that users IP. Thats the whole reason I wrote the plug-in, but you could also add it to your functions.php file, and incorporate it into your themes you build for clients as a native feature.

    I just wish WordPress had some built in alert system, or even a 3 strike rule that then emails a site owner when someone tried too many times and failed, so we can investigate potential attacks. Not trying to hijack this thread or go off topic, but check out my login alerts plug-in to see what I mean. It emails me the username and IP address of any user attempting to login. I think its an invaluable tool for WordPress site admins, and for those who don't have htaccess setups, so long as your server can send mail via PHP, this solution might help you. IIS servers sometimes need more configuring to setup the mail side to work with PHP, but thats something your webhost should be able to enable or fix for you, but either way, a login alert to potential brute force attacks should be a consideration for a core feature to WordPress. I know Security is a key focus for WordPress developers, but this should be something built in natively to the core. Just my 2 cents.

    Posted: 5 years ago #
  2. Ipstenu (Mika Epstein)

    Given than IIS, Apache, and nginx all have different ways one might secure files, and how every server is a little different and everyone's set up is too, it's very difficult to find a way to lock everything down as you described.

    BTW, IP banning is nearly useless these days, thanks to things like the ToR project which allow you to use anyone's IP. And if you block ToR, you block a lot of legit users too. Given the howls I used to get when I blocked an AOL IP back in the day, becuase I hit the innocent too, I don't know that it was ever a good, sustainable, plan.

    Posted: 5 years ago #
  3. edumusa


    agreed with more protection and/or change the name of wp-admin

    Posted: 3 years ago #

RSS feed for this topic


You must log in to post.

  • Rating

    48 Votes
  • Status

    Sorry, not right now