I’m maintaining a lot of WordPress based sites. And almost daily there is some brute force attack on one of them. The target of these attacks is wp-login.php file. There is a lot of solutions to protect this file by limiting access to it using a separate password or manually adding allowed IP address. And changing them all the time is not an option for me.
So how I solved this? By automagisation! 😉
Main point is to modify .htaccess file to have access rules like:
<Files wp-login.php> Order deny,allow Deny from all Allow from 18.104.22.168 </Files>
This rule denies access from all and allows from ip 22.214.171.124.
But we need to change IP automatically wherever we are. My solution is to use a PHP script that checks my current IP and changes it to .htaccess file. And by adding a little bit of magic I can access wp-login.php with only one click! How?
- I’m opening my-wordpress-site.com/magical-login.php url
- magical-login.php checks my current IP and changes it to the access rule
- magical-login.php redirects me to wp-login.php, which now accessible for me
And of course nobody knows that magical-login.php file exists. I can change the filename to whatever I want.
You probably want to know what does this magical-login.php contain? Here:
<?php // reading current content from .htaccess $ht = fopen(".htaccess", "r"); $content = fread($ht, filesize(".htaccess")); fclose($ht); // removing old access rule for wp-login.php file $content = preg_replace("/\<Files wp-login\.php\>.*\<\/Files\>\s+/s","",$content); // checking current ip address if (!empty($_SERVER['HTTP_CLIENT_IP'])) $ip = $_SERVER['HTTP_CLIENT_IP']; elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; else $ip = $_SERVER['REMOTE_ADDR']; // creating new access rule with new ip address $rule = <<< rule <Files wp-login.php> Order deny,allow Deny from all Allow from $ip </Files> rule; // writing new .htaccess content $ht = fopen(".htaccess", "w"); fwrite($ht, $rule.$content); fclose($ht); // redirecting to wp-login.php header('Location: wp-login.php'); ?>
Make sure your webserver has write permission to .htaccess file.
Just drop your PHP file to the same folder with wp-login.php and open it with your browser. It will add access rule to the top of .htaccess file and you are done. Next time just forget about wp-login.php and use the file you have created.