One of my more popular websites is using WordPress. I am using a specific security plugin to protect the website and every once in a while I received a notification from the plugin that somebody had tried to access the administrator section of WordPress, but the plugin had it blocked. This functionality became even more important with the recent increase in attacks against WordPress. While my web server is already very secure thanks to Wiredtree (affiliate link), it is up to each Webmaster like yourself to further protect your website based on which software you use.
There’s nothing new about that hacking approach, but what makes this attack so very different, and particularly dangerous, is that the attackers have some 90,000 unique IP addresses at their disposal. That’s a sh!tload of IP addresses that you would need to block and of course if your site gets attacked it can add quite some load on your server. Load that will slow down your website.
Apparently one of my websites is now being targeted because I received hundreds of attack notifications and each single one showed a different IP address. The pattern matched exactly what has been written about on quite a few websites. While I considered my website safe (strong password, Security Plugin, fully up to date) I figured it cannot hurt to be a bit more pro-active. I did not wanted to be swamped with alerts, but I also wanted to keep the alerting in place.
I started with securing the wp-admin folder. However, there are at least 2 files inside that folder that need to stay accessible for your website to function correctly (admin-ajax.php and some CSS files). I was going to use .htaccess to secure the folder and so I had to come up with a plan to exclude those files from the protection.
Here are the steps to protect your wp-admin folder:
Go into Cpanel. Under the Security section in Cpanel, click on “Password Protect Directories”. Select the Document Root for your domain, then click Go. Select your WP-Admin folder. Check Password protect this directory, give it a name, then click Save. Then go back. Specify a user name (DO not use “Admin”) and a password. Feel free to use the password generator, but extend the password length to at least 12. When done add the user and test out to access your wp-admin folder. You should be prompted for a user ID and password.
At the moment we’re blocking the entire content of the wp-admin folder. Remember that we need to white-list the “admin-ajax.php” file + some CSS files?! Let’s do that. We need to open the .htaccess file. I am a big fan of Filezilla (FTP Client), but you can also use the file manager from inside Cpanel. The new/modified .htaccess file is inside the wp-admin folder. Open it and add the following lines:
<Files “admin-ajax.php” >
Allow from all
<Files “*.css” >
Allow from all
Safe the file, but also copy the content of it the clipboard or into Notepad. We will need it for the next step. Re-upload the file in Filezilla. Now your wp-admin folder is fully password protected, but important files are white-listed.
We should also protect the wp-login.php file. It is in the root of your WordPress installation. We will use some of the content from your .htaccess file. Why re-invent the wheel? We will use the same user ID, password, and resource name that we created earlier for the wp-login.php file.
Your website should already have a .htaccess file when WordPress was installed. It is in the root of your website. Open it up in Filezilla or through the Cpanel file manager. Add the following lines – using the information from the other file.
Save the file and try to access the wp-login.php file. You should now be prompted for a user ID and password.
Combine this security hack with one of the many WordPress security plugins (I am using one called “Wordfence”) and you can sleep like a baby at night. Do not use more than one security plugin at a time though. This might cause conflicts. And it would also be recommended that you document the steps shown above. That will help you to recreate the steps in the future should you by accident delete your .htaccess file as an example. It also helps with keeping track of the passwords. For passwords I use a tool called Roboform to reduce the need to remember complex passwords. Therefore I have no difficulties to use super-complex passwords for stuff like securing your wp-admin folder.
And since this very own website is powered by WordPress I have implemented the same protection here. It just makes me sleep better at night. 😉 Below is a screenshot of how often my “wp-login.php” has been access this month – before I implemented the new layer of security. The screenshot shows just 2 days of traffic (June 2013). Click the image to maximize it.