Support » Fixing WordPress » hiding login page

  • On all my sites I use a little code in order to hide my login page:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^00\.000\.00\.000$
    RewriteRule ^(.*)$ - [R=403,L]
    </IfModule> 

    However, I can see that scammers are able to view it and attempt logins.
    I know it’s just a little security hack, but why isn’t it working at its best?

Viewing 6 replies - 1 through 6 (of 6 total)
  • try use this RewriteRule

    RewriteRule .* - [F]

    I will try that. However, I would like to know how are they able to sniff the login page whereas I’m not.

    besides wp-login.php and wp-admin, you/attacker also can login WordPress via XMLRPC

    Ok. What about that new RewriteRule: should I just add a line to my code, or substitute Rule to Cond?

    The problem is they can also get over this code:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REMOTE_ADDR} !^37.160.55.111
    RewriteCond %{REQUEST_URI} !/manutenzione.html$ [NC]
    RewriteCond %{REQUEST_URI} !\.(jpe?g?|png|gif) [NC]
    RewriteRule .* /manutenzione.html [R=302,L]
    </IfModule>

    …besides, that RewriteRule .* - [F] is preventing myself to view the login page

    That Rule definitely doesn’t work. It blocks me as well.
    I need to solve this problem because as soon as I enable /wp-admin I get a series of login attempts, as if someone is just waiting for my login page to appear. I have no idea how they can do that, and I must act.
    Any other suggestion from anyone?

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.