I'm maintaining a lot of Wordpress based sites. And almost daily there is some brute force attack on one of them. The target of these attacks is wp-login.php file. There is a lot of solutions to protect this file by limiting an access to it using separate password or manually adding allowed IP address. And changing them all the time is not an option for me.
So how I solved this? By automagisation! ;)
Main point is to modify .htaccess file to have access rules like:
<Files wp-login.php> Order deny,allow Deny from all Allow from 220.127.116.11 </Files>
This rule denies access from all and allows from ip 18.104.22.168.
But we need to change IP automatically wherever we are. My solution is to use a php script that checks my current IP and changes it to .htaccess file. And by adding a little bit of magic I can access wp-login.php with only one click! How?
- I'm opening my-wordpress-site.com/magical-login.php url
- magical-login.php checks my current IP and changes it to the access rule
- magical-login.php redirects me to wp-login.php, which now accessible for me
And of course nobody knows that magical-login.php file exists. I can change the filename to whatever I want.
You probably want to know what does this magical-login.php contain? Here:
<?php // reading current content from .htaccess $ht = fopen(".htaccess", "r"); $content = fread($ht, filesize(".htaccess")); fclose($ht); // removing old access rule for wp-login.php file $content = preg_replace("/\<Files wp-login\.php\>.*\<\/Files\>\s+/s","",$content); // checking current ip address if (!empty($_SERVER['HTTP_CLIENT_IP'])) $ip = $_SERVER['HTTP_CLIENT_IP']; elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; else $ip = $_SERVER['REMOTE_ADDR']; // creating new access rule with new ip address $rule = <<< rule <Files wp-login.php> Order deny,allow Deny from all Allow from $ip </Files> rule; // writing new .htaccess content $ht = fopen(".htaccess", "w"); fwrite($ht, $rule.$content); fclose($ht); // redirecting to wp-login.php header('Location: wp-login.php'); ?>
Make sure your web server have a write permission to .htaccess file.
Just drop your php file to the same folder with wp-login.php and open it with your browser. It will add access rule to the top of .htaccess file and you are done. Next time just forget about wp-login.php and use the file you have created.