Protecting WordPress Administration, or, DON’T GET HACKED!

One way of protecting wp-admin is by limiting the specific IP’s that can access it. I found this simple solution here. As long as you are not using a DNS filtering service, edit your .htaccess file thus (Replace 123\.123\.123\.xxx with your own IP addresses):


<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

This will give anyone coming from another IP address a 403 error.


Additionally, to prevent access from bots without legitimate referrers or user agents from spammers:


<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*example.net.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]
</ifModule>

note: change
RewriteCond %{REQUEST_URI} .(wp-login)\.php*
to
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*

to also help protect your WordPress site from comment spammers.