WordPress Administrative Tasks as well as the Dashboard for adding posts, pages, themes, plugins, and changing settings are all located inside the /wp-admin directory. Hackers already know this so they can try to use brute force style attacks to guess your password. To help in preventing this, it would be best to limit access to the wp-admin directory so only you (and your writers) can access it. This is only effective if you have a static IP and you sign on to WordPress at the same location. Its very simple to implement as long as you have access to .htaccess files.
Note: This will not work if you have a dynamic IP. You will end up locking yourself and/or your writers out of the Admin area.
- Download the .htaccess file from your /wp-admin directory (NOT your root directory). If it doesn’t exist, create one.
- Open the file with a text editor like Notepad++. Do not use word processors such as Microsoft Word.
- Add the following lines:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName “Example Access Control” AuthType Basic <LIMIT GET> order deny,allow deny from all allow from xxx.xx.xx.xxx </LIMIT>
- Replace xxx.xx.xx.xxx with your IP Address. Remember, this will only work if you have a static IP and you sign on at the same location or network. You can also have multiple IP addresses. Simply add another “allow from” line.
- Save the file.
- Upload the new file to /wp-admin (not the root directory)
This is a very effective way to secure your WordPress blogs, however it will only work if you have a static (constant) IP Address. If you have a dynamic IP, there are other options, including Login Lockdown (it wouldn’t hurt to use Login Lockdown even if the above would work for you).