WordPress Security Tips for your wp-admin access

wordpress-securitySecurity is really important to your WordPress Admin. This article will provide you some tips on how to secure your wp-admin access in WordPress. This information was taken from our WordPress Hosting while checking to our control panel.  The letter is very important to users of WordPress CMS to eliminate further hackers that can cause great damages to your work.

Please read and apply these instructions if you’re WP-ADMIN is not yet secure.

———————————–
Dear owners,

Over the past few weeks our system administrators have detected an unusually high amount of traffic towards wordpress login pages such as http://www.yoursite.com/wp-admin

Our administrators have analyzed the traffic and have come to the conclusion that is part of a global massive bruteforce attack against wordpress sites.

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed ‘inelegant’, they can be very successful when people use passwords like ‘123456’ and usernames like ‘admin.’

They are, in short, an attack on the weakest link in any website’s security: You.

Due to the nature of these attacks, you may find your server’s memory goes through the roof, causing performance problems. This is because the number of http requests (that is the number of times someone visits your site) is so high that servers run out of memory.

This sort of attack is not endemic to WordPress, it happens with every webapp out there, but WordPress is popular and thus a frequent target.

As such we would like to offer you few very simple tricks to protect your wordpress site:

1. Limit Access to wp-admin by IP

If you are the only person who needs to login to your Admin area and you have a fixed IP address, you can deny wp-admin access to everyone but yourself via an .htaccess file.

Create a file called .htaccess or simply edit the existing one (if any) in the /wp-admin folder and add:

# Block access to wp-admin.
order allow,deny
allow from x.x.x.x
deny from all

Where x.x.x.x is your IP address. You can add multiple IP addresses by adding the line: allow from x.x.x.x as many times as IPs you wish to whitelist.

2. Limit Access to wp-login.php by IP

You can also limit the access to your wp-login.php file inside your wp-admin/ area via an .htaccess file.

Create a file called .htaccess or simply edit the existing one (if any) in the /wp-admin folder and add:

Order allow,deny
Allow from x.x.x.x
Deny from all

Where x.x.x.x is your IP address. You can add multiple IP addresses by adding the line: allow from x.x.x.x as many times as IPs you wish to whitelist.

3. Update your robots.txt file
Add the following lines in your robots.txt file or create a file named robots.txt with the following content:

User-agent: *
Disallow: /wp-admin
Disallow: /wp-login.php
Disallow: /administrator

This will essentially block the indexing of those folders in the search engines as the brute force attackers generate lists of such URLS ( intitle: Log In and inurl: wp-login) with the help of the major search engines. This method is more of a long-term prevention as it will take few months for the search engines to update this information but it should resolve any bruteforce attempts for good.

4. Protecting yourself from spam comments

On another note if you are receiving a large amount of spam comments on your WordPress site you can deactivate the commenting by doing the following:

Go to yoursite.com/wp-admin/options-discussion.php

Uncheck Allow people to post comments on new articles

You WILL need to go to all existing posts and turn off comments there as well.

If you still want people to be able to comment you might consider having them register first. In that case check the box: Users must be registered and logged in to comment instead.

Best Regards
Technical Support Department
——————————

Security is really important. This is to protect the work that you are doing especially to the clients. With the rise of online businesses, competitions would always happen. Each uses strategies that would put them on top of the rank. Sometimes others would use strategies that would damage its competitor’s reputation online. We at Eyewebmaster hope that these simple instructions would be useful in protecting your site. If there are more issues to your website please let us know and hope we can help you in some ways.

About The Author: Rosendo Cuyasen Jr. is the head of Eyewebmaster a web developing and SEO firm in the country. You can follow him on twitter@Eyewebmaster account, you can also like him to his Facebook account and Google + account.

2 comments

  1. benhur ramirez - April 11, 2014 9:23 pm

    The problem with Limit Access to wp-login.php by IP is that when you are going to places everyday. I once tried this option and its a terrible idea that I have to once again go the my cpanel, edit my htaccess before I can successfully gain the access.

  2. Rosendo Cuyasen - June 24, 2014 10:54 pm

    Yes the hard part is the editing but I believe securities are much better than making your website vulnerable to hackers.