Secure your WordPress admin pages

padlock

After a friends WordPress blog/server was hacked recently I took a deeper look into securing my site beyond the default security available. While there are plenty of security enhancement plugins available on WordPress.org, essentially all that I saw had poor ratings, insufficient feedback, were untested with current WordPress versions or were otherwise not what I wanted.

Instead, there is a simple, fool-proof way to protect the admin section of your blog by restricting it to your unique IP with a .htaccess file. Be aware, this is not the .htaccess file in your root directory. Applying this information to that file will prevent anyone from accessing your blog at all.

To secure your admin pages, create a new .htaccess file in your http://www.domain.com/wp-admin/ directory and copy the following code.

order deny,allow
deny from all
#home
allow from xxx.xxx.xxx.xxx
#office
allow from xxx.xxx.xxx.xxx
#etc
allow from xxx.xxx.xxx.xxx

Replace the descriptions and enter the IP addresses of your home, office, mobile etc. and you will deny any outsider access to this entire section of your blog. In the event your IP address changes, you will be locked out temporarily but simply have to update the file to reflect your new details.

Much easier.

In my opinion, using a plugin to achieve this is more complicated than it needs to be. By using a .htaccess file instead you’ll never have to worry about updates, version incompatibilities, bugs etc. Simple and secure. Image credit.

14 thoughts on “Secure your WordPress admin pages”

  1. Another option Andrew is just to create an .htaccess that has a users list – I’m sure there are some people out there that need to login to their admin page from any number of different IP addresses.

    I currently have a tutorial page hidden away on one of my domains to help show new contributors how to access the login page and add posts etc – for obvious reasons, even though there are no logins or passwords listed on this tutorial page I still password protect it so that only authorised users can access it.

  2. Ewan,

    That’s a good point. It’s just little old me on my blog so adding my desktop and mobile was all that was required. I don’t blog from anywhere else.

  3. No worries mate,

    I’ve had a plugin crash my database before, which took about 5 hours to fix, which is why I opted for this method instead.

    No complications and it’s pretty bulletproof.

  4. Good to see someone else with the same great solution! But I’d love to see an example of using a users list. Right now, I do use the IP level security on my blogs after having well over 200 blogs defaced. Locked pretty tight now. Right now if I’m access my blog away from home, I’ll log into my home’s firewall with a vpn channel and surf from my home address, so that covers most of the bases.

    Cheers,

    Frank

  5. Frank,

    200, wow! I don’t envy you having to fix that. I was with a different web host at one point and had a database crash affect 6 sites, even that was a nightmare to fix.

  6. I’ve just implemented the code, and it works! I tried using a different IP address (to test it) and it blocked me :)

    So, thanks again Andrew for the code. I just checked my spam comments in the WP admin, and I found a spammer named “1” trying 20 times to execute some kind of code in blog, so my eyes are peeled…

  7. Andrew,

    Of course it works! What? Did you think I just made it all up hoping no one would try it? ;)

  8. …Hmm actually, I’m having problems with it. It worked fine for 3 days, but today, even I couldn’t log in to my admin panel from the same location/IP, and couldn’t until I removed the code. Any suggestions???

  9. Andrew,

    According to my WordPress log your IP address has changed.

    Your last comment was left from *.*.21.157 while this comment is from *.*.46.242. Looking back through your previous comments there are blocks of comments from various IP’s with a change every few months.

    I ran an IP lookup on all the IP’s and they all come up for the same ISP. I know my ISP occasionally changes my IP address, only maybe one or twice per year. I guess yours is the same, but a bit more frequent?

    Depending on how often it changes, it might be worth your while still using the same security method as being aware of the issue it would only take you 10 seconds to update and replace your .htaccess file. I know that’s not ideal from a convenience point of view, but at least you’ll still have the security.

    Alternatively you could try the username/password method Ewan specified, not quite as secure but it’s still another layer of security. I’ll dig up a bit of info on using this and post back.

    ( Coming soon! Ditching my graphic design blog for a tech support one! )

  10. Cheers for looking into that Andrew. The whole IP thing is news to me, although this does explain another problems I’ve been having with an online TV-viewing program I use. Ill look into it :)

    On an unrelated matter, how did you sort out your RSS feed problem. I can remember a few month back, all your RRS articles were been delivered in blocks of 5, roughly once every few weeks (in my Reader anyway). It seems as though I’m now having the same problem. Ever since WP version 3.0, none of my new posts show up in my feed?

    UPDATE: Sorted my RSS feed now. It turns out it was larger than 512k, due to me setting the post limit to 100 in WP settings by mistake. Sorted now. Hopefully.

  11. Andrew,

    Mine was a content structure issue I believe.

    Previously my excerpts were quite long, and I wasn’t using noindex anywhere in my site. Between my sub-pages, category archives and the posts themselves competing for rank I was having some duplicate content/indexing issues.

    At the time of the issue I had about 200 unique posts though only 140 or so where indexed, sub-pages and categories were being indexed instead of the posts.

    After no-indexing my sub pages and shortening my excerpts, all outstanding posts were indexed within a few days, and all content since has been fine. No more pingbacks arriving 3 months later ;)

  12. Frank,

    I’m not sure who you use for your hosting or whether you run it all yourself but depending on any number of variables there is a different setup scenario for utilising a ‘users’ list.

    Hopefully it isn’t too overwhelming but after a recent security breach on one of my websites I utilised this website to perfect my .htaccess skills.

    Hope this is of some help? Sorry for the delayed reply…

  13. I blog from all kinds of places. One simple thing you can do is change your user name from admin to something else. I still see people who haven’t done that.

Comments are closed.