Restrict Access to wp-login.php and xmlrpc.php

From Brian Nelson Ramblings
Revision as of 01:49, 9 December 2020 by Brian (Talk | contribs) (Multiple IP address access:)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Restrict Access to wp-login.php and xmlrpc.php

Wordpress Security alert!! Stop getting hacked by restricting access to wp-login.php and xmlrpc.php.

Access your .htaccess file in your html directory 

vim /var/www/html/.htaccess

Now we have options:

You can get your ip address by visiting: https://briansnelson.com/ip/

Single IP address access:

Add the following, don't forget to replace the ip address with your own 

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Multiple IP address access:

Add the following, don't forget to replace the ip address with your own 

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.124$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.125$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Side note, I would also allow your server's ip address, as some wp-cron.php scripts require access to xmlrpc.php

Retrieved from "https://briansnelson.com/index.php?title=Restrict_Access_to_wp-login.php_and_xmlrpc.php&oldid=1043"