Difference between revisions of "Restrict Access to wp-login.php and xmlrpc.php"

From Brian Nelson Ramblings
Jump to: navigation, search
(Created page with "==Restrict Access to wp-login.php and xmlrpc.php== Wordpress Security alert!! Stop getting hacked by restricting access to wp-login.php and xmlrpc.php. Access your .htaccess...")
 
(Multiple IP address access:)
 
(One intermediate revision by the same user not shown)
Line 19: Line 19:
 
  RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 
  RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 
  RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
 
  RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
  RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
+
  RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$
 
  RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
 
  RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
 
  RewriteRule ^(.*)$ - [R=403,L]
 
  RewriteRule ^(.*)$ - [R=403,L]
Line 32: Line 32:
 
  RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 
  RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 
  RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
 
  RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
  RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
+
  RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$
 
  RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
 
  RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
 
  RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.124$
 
  RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.124$

Latest revision as of 01:49, 9 December 2020

Restrict Access to wp-login.php and xmlrpc.php

Wordpress Security alert!! Stop getting hacked by restricting access to wp-login.php and xmlrpc.php.

Access your .htaccess file in your html directory

vim /var/www/html/.htaccess

Now we have options:

You can get your ip address by visiting: https://briansnelson.com/ip/

Single IP address access:

Add the following, don't forget to replace the ip address with your own

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Multiple IP address access:

Add the following, don't forget to replace the ip address with your own

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.124$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.125$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Side note, I would also allow your server's ip address, as some wp-cron.php scripts require access to xmlrpc.php