Difference between revisions of "Restrict Access to wp-login.php and xmlrpc.php"
From Brian Nelson Ramblings
(Created page with "==Restrict Access to wp-login.php and xmlrpc.php== Wordpress Security alert!! Stop getting hacked by restricting access to wp-login.php and xmlrpc.php. Access your .htaccess...") |
(→Multiple IP address access:) |
||
(One intermediate revision by the same user not shown) | |||
Line 19: | Line 19: | ||
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] | RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] | ||
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR] | RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR] | ||
− | RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ | + | RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$ |
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ | RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ | ||
RewriteRule ^(.*)$ - [R=403,L] | RewriteRule ^(.*)$ - [R=403,L] | ||
Line 32: | Line 32: | ||
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] | RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] | ||
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR] | RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR] | ||
− | RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ | + | RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$ |
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ | RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ | ||
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.124$ | RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.124$ |
Latest revision as of 01:49, 9 December 2020
Contents
Restrict Access to wp-login.php and xmlrpc.php
Wordpress Security alert!! Stop getting hacked by restricting access to wp-login.php and xmlrpc.php.
Access your .htaccess file in your html directory
vim /var/www/html/.htaccess
Now we have options:
You can get your ip address by visiting: https://briansnelson.com/ip/
Single IP address access:
Add the following, don't forget to replace the ip address with your own
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ RewriteRule ^(.*)$ - [R=403,L] </IfModule>
Multiple IP address access:
Add the following, don't forget to replace the ip address with your own
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.124$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.125$ RewriteRule ^(.*)$ - [R=403,L] </IfModule>
Side note, I would also allow your server's ip address, as some wp-cron.php scripts require access to xmlrpc.php