protect wp-login.php and wp-admin using htaccess on a dynamic IP

January 2, 2013 MH Tech. Linux Admin 0

Please note, I did this using a linux client on a linux server.  My desktop is linux mint and the server is Centos.  You can do it on Windows and OS/X but I can’t advise sorry.  This is quick and dirty tutorial aimed at those familiar with command lines and server operation.   You need SSH access to the server you are running your blog from.

The Problem:

My wordpress blog is getting blitzed with attempts on my wp-login.php file and wp-admin folder.  I want to block all access to these areas unless it is coming from my computer.

I tried a number of methods,  including but not limited to logging all attempts and adding them to my firewall or htaccess file.  This is an ongoing task and not suitable for long term use.

I am on a dynamic IP that changes each time I log into the computer.  So blocking by IP was not practical.  However….

I now use a combination of SSH to create a proxy, foxyproxy to only use this proxy when navigating to my wordpress install and htaccess to block all ip’s except the servers IP.

The Solution:

Here is the list of steps to take.

1) Create the proxy.

create a file called ~/proxy.sh
add this line to it
ssh -C2qTnNv -D 8888 username@hostname.com
chmod o+x ~/proxy.sh

run the command

~/proxy.sh

2) Install foxyproxy
add the following rules
Proxy Details,  Tick the SOCKS proxy box and add 127.0.0.1 as the IP address and 8888 as the port number.
URL Patterns: as follows
*wp-login.php*
*/wp-admin/*

3) Edit the /.htaccess file and add the following lines.

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
</Files>

in the wp-admin directory create a .htaccess file and add the following.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from xxx.xxx.xxx.xxx

In both .htaccess files obviously replace the xxx.xxx.xxx.xxx with the ip address of your server.

Notes:

Now when I access my blog login or wp-admin directory it goes through my proxy.  If I forget to start the proxy first I get a proxy error message.  Run the command ~/proxy.sh sorts this out.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.