Select Page

WordPress Ultimate Security

, ,

As WordPress gained popularity, the company started receiving dozens of security alerts every day showing a variety of attempts were being made to access the Administrative sections of our WordPress sites.  The sites were already employing security provided by a variety of plugins, but the recent increase in attacks was worrying, and certainly the number of attempts would not decrease in the future.

One of  the excellent options using WordPress is that you can log in from anywhere and any device to create posts. But none of our installations took advantage of this feature, as all contents were posted from a central office.  So the best improvement to the security of our sites would be to remove the ability to access the administrative functions from anywhere.

With a fairly simple edit to a server file, we are able to restrict access to a pre-approved list of machines. This method is better than any of the WordPress security plugins because it restricts access before making any calls to the database. It removes all the traffic and calls to the database and simply disallows every IP address except for the approved and whitelisted machines.

# Block access to wp-admin.
order deny,allow
#whitelist Head Office
allow from 999.99.999.99

#whitelist Webdev Office
allow from 999.99.999.99
allow from 999.99.999.99

#whitelist Consultant Home
allow from 999.99.999.99

#Whitelist UK Consultant Office
allow from 999.99.999.99

deny from all

Sample .htaccess code to restrict access to the WordPress admin directory

After implementing this change, security alerts dropped to zero!


, ,

Posted on

February 5, 2014