Protecting wp-admin folder with htaccess

Resolved Brandon
(@glassanemone)

12 years, 8 months ago
My site is hosted on a godaddy shared server. I used their web-based control panel to protect the wp-admin folder which created an htaccess file in the wp-admin folder with the below lines in it:
```
authtype basic
authgroupfile /dev/null
authuserfile /home/content/xx/xxxxxxxx/htconfig/.htpassword.ghtpassword
authname "Secure Area"
require user myusername
```
I then inserted the below lines to prevent the username/password prompt on pages other then the wp admin login page:
```
<Files "admin-ajax.php">
Order allow,deny
Allow from all
Satisfy any
</Files>
```
When I hit my wp admin login page, I first have to enter my username/password combo set up in the htaccess file and then I am dropped into the wp admin login page.

This morning I received the following email from wordfence:

A user with IP address 211.110.140.196 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 10. The last username they tried to sign in with was: ‘admin’
User IP: 211.110.140.196

Sure enough when I checked the wordfence logs there were 10 login attempts. But when I checked my apache logs I did not see any login attempts. Is my understanding of how I have protected my wp-admin folder incorrect? I do not understand how someone could have hit my wordpress admin login page without first cracking the login credentials setup for my wp-admin folder. Is it because the htaccess file for the wp-admin folder lives within my wordpress install directory? Should i try to locate it one level up, outside the html director?

site: brandonmarkwalder.com

Thanks.

Viewing 9 replies - 1 through 9 (of 9 total)

leejosepho
(@leejosepho)

12 years, 8 months ago

Whether or not you might care to ever use a security plugin, I suspect AITpro will give you an answer about that and a bit of insight here:
http://wordpress.org/plugins/search.php?q=bulletproof

Rod Whiteley
(@rod-whiteley)

12 years, 8 months ago

wp-login.php is not in the wp-admin folder, so I don’t understand how your .htaccess protection works.

Thread Starter Brandon
(@glassanemone)

12 years, 8 months ago

Rod,

I’m now realizing that, but I think I might still be in good shape. After reading your post, I tried protecting the wp-login.php with godaddy’s tools but was not able to do so. I will try to figure out how to do so manually. Another option is to rename the wp-login.php to something else but it looks like that involves messing with core files which I’m not a fan of.

Upon further testing here is what I have discovered:

If I navigate to /wp-login I am first promoted to enter my username/password combo I set up with the wp-admin folder htaccess protection. Then I am prompted to enter my wordpress install username/password combo. If I try to cancel out of the first prompt it returns an error page.

If I navigate to /wp-login.php I get the same prompts, but if I hit cancel at the first prompt (the htaccess prompt), I am dropped onto an un-formatted version of my wordpress login page. That is how the attacker was able to try logging in and it only showed on my wordfence logs and not my apache logs. But, if he had cracked my wordpress username/password combo before getting locked out by wordfence, he would then have to crack the wp-admin folder htaccess username/password, otherwise it returns an error page.

Can anyone provide guidance on protecting the wp-long.php with htaccess on a godaddy shared server without using a plugin?

Amado.Miami
(@amadomiami)

12 years, 8 months ago

bit51 security plugin allows for the wp-login.php to not be reached.
There are numerous areas that will need to be addressed once this plugin is installed, yet the tab you will look for is “Hide”. Maybe be there is the same sort of option in your current security suite.
Thread Starter Brandon
(@glassanemone)

12 years, 8 months ago
Amado,

I’d rather not use a plugin for this. I was able to figure out how to lock down wp-login.php so it works just like my wp-admin htaccess protection. However, as expected it broke my password protected pages on my site. So now I need to figure that out. Here is what I added to my htaccess file in my main folder:
```
# Protect wp-login
<Files "wp-login.php">
authuserfile /home/content/xx/xxxxxxxx/htconfig/.htpassword.ghtpassword
authname "Secure Area"
authtype basic
require user myusername
</Files>
```
I will keep working on this and if I find a working solution I will be sure to post it.

Thanks.
Amado.Miami
(@amadomiami)

12 years, 8 months ago

Brandon I specifically lock my admin login to a specific IP range with a .htaccess file in the wp-admin directory. I am on a very specific range so this works for me. Yet it depends on your environment.

Deny from All
Allow from —.–
Allow from 127

Where ,
“Allow from” has a specific range, as an example

Deny from All
Allow from “123.45”
Allow from 127

Another Layer of defense.

Thread Starter Brandon
(@glassanemone)

12 years, 8 months ago

Thanks Amado,

Limiting access to wp-login.php by IP address did the trick.

Thread Starter Brandon
(@glassanemone)

12 years, 8 months ago

Well, just now getting back to updating this. Limiting by IP address breaks my password protected pages as well. I assume because password protected pages rely on wp-login.php.

In the end, its not a huge deal as my existing setup works, just not as slick as I want it to.

lindaloustarr
(@lindaloustarr)

12 years, 4 months ago

All you have to do is protect with your ip address with this in htaccess 🙂 no one with an ip address listed below will be allowed & will receive an access denied error . . .

place this right above #BEGIN WordPress, where you see the number 1 in each segment just replace with your ip if you need to add additional ip’s just repeat the line with the new ip address:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^11\.11\.111\.111$
RewriteCond %{REMOTE_ADDR} !^11\.11\.111\.111$
RewriteRule ^(.*)$ – [R=403,L]
</IfModule>

Merry Christmas
Linda Lou ~ WordPress on Fire