Difference between revisions of "Restrict Access to wp-login.php and xmlrpc.php"

Revision as of 01:49, 9 December 2020

Restrict Access to wp-login.php and xmlrpc.php

Wordpress Security alert!! Stop getting hacked by restricting access to wp-login.php and xmlrpc.php.

Access your .htaccess file in your html directory

vim /var/www/html/.htaccess

Now we have options:

You can get your ip address by visiting: https://briansnelson.com/ip/

Single IP address access:

Add the following, don't forget to replace the ip address with your own

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Multiple IP address access:

Add the following, don't forget to replace the ip address with your own

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.124$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.125$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Side note, I would also allow your server's ip address, as some wp-cron.php scripts require access to xmlrpc.php