Restrict Access to wp-login.php and xmlrpc.php
From Brian Nelson Ramblings
Contents
Restrict Access to wp-login.php and xmlrpc.php
Wordpress Security alert!! Stop getting hacked by restricting access to wp-login.php and xmlrpc.php.
Access your .htaccess file in your html directory
vim /var/www/html/.htaccess
Now we have options:
You can get your ip address by visiting: https://briansnelson.com/ip/
Single IP address access:
Add the following, don't forget to replace the ip address with your own
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ RewriteRule ^(.*)$ - [R=403,L] </IfModule>
Multiple IP address access:
Add the following, don't forget to replace the ip address with your own
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.124$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.125$ RewriteRule ^(.*)$ - [R=403,L] </IfModule>
Side note, I would also allow your server's ip address, as some wp-cron.php scripts require access to xmlrpc.php