How to Protect your WordPress Login

Not having posted to for quite a while, I found that I was locked out of the WordPress Login Page.
That was a really good refresher for me, having to check all the things I might have done to protect this site from getting hacked – so far as practicable.

wp-admin-not-found

First stop was to check where the Nameservers for this domain were pointing.
After digging out the user name and password for domaincheapsters.com I checked the nameservers stevemackay.com was point to – in one of my hosting accounts.
Next I needed to check which of my hosting accounts at d9hosting.com uses the nameservers.

Then open up FireFTP and download a copy of my website.
So far so good, but still no joy.
The information I really wanted was in a MySQL database file.
This meant going digging out another user name and password to get into the cpanel of my hosting account.
The information was there – but I had no idea, which of 193 MySQL data bases, was used for this site.
Unfortunately WordPress give MySQL databases names automatically, unless they are edited.
Although I checked a few, I really don’t have the patience to go through files in wrdp1 all the way to wrdp193 to find the one I was looking for.
Instead I checked the contents of a few php files – nothing there to cause a problem

Finally I checked the .htaccess file
This is a hidden file – so you need to check the option in any FTP program to even see the file exists.
.htaccess is where I had added protection to make it more difficults for others to log in.
I had added code so that only a PC having my IP address could open the log-in screen.

A quick google check of my IP address showed it had changed.

My-IP-Address
Updating my IP address then using FireFTP to over-write the old copy of .htaccess – and suddenly I could log in to my blog again.

wp-login-page
.htaccess a critically important file – so I was careful to use my trusted copy of notepad++ for the editing

The code to protect any wordpress site from displaying the login screen from …/wp-admin is:

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

<Files ~ “^wp-login.php”>
Order deny,allow
Deny from all
Allow from 10.20.200.180 *** replace with your IP Address

</Files>

 

You can repeat the line ‘Allow from ….’ as many times as you need with as many IP addresses as you use.
This code must be saved in a .htaccess file thenĀ uploaded and stored to the root of your domain name folder on your server.
Make sure you keep any existing code in the file before adding this extra code.
Don’t forget that your IP Address is likely to change every time you switch your router off then on again.

 

Comments are closed.