Join Jeff Starr for an in-depth discussion in this video Control admin access, part of WordPress: Developing Secure Sites .
- [Narrator] In this video, we improve security by preventing all unauthorized access to the WordPress admin area. We do this using a small amount of HT access code, which provides strong, flexible protection against malicious attacks. Here we are in our code editor looking at the files in our default WordPress installation. Here's the directory we want to protect. The WP admin directory contains the code used to display the WordPress admin area and includes a lot of sensitive functionality.
To secure this entire directory, grab a copy of the blank.htaccess file that's included with this course and paste it into the wp admin directory so it looks like this. Next, copy the first .htaccess snippet from the exercise files as shown here and paste it anywhere near the top of the .htaccess file before any existing .htaccess rules. Before uploading the file to the server, we want to edit the IP addresses to match our own.
Your IP information is readily available online. Just do a quick search for "whats my ip" and then copy the IP address and return to the .htaccess file and paste it into both locations. Here and here. Then save the file and upload it to the server. With this code in place, all requests that are not from the specified IP address are going to be denied access to anything in the admin area except for the login page, which is not included in wp admin directory.
Instead, the login page is included in the WordPress route directory as seen here. So to also secure this file, we want to add another code snippet to the .htaccess file that is located in the WordPress route directory right here. As before, if this .htaccess file does not exist, you can grab a copy of the blank .htaccess file that's included with the Exercise Files for this course. Once the WordPress .htaccess file is in place, we want to copy our second code snippet and paste it anywhere near the top of the file before any other .htaccess rules.
Again, make sure to change each of the example IP addresses with your own. Then save the file and upload it to the server. With our two code snippets now in place, only visitors coming from the specified IP address will have access to the admin and login files. If you have more than one IP address that needs access, you can allow them by duplicating the lines and then editing the IP address to whatever is needed.
You can do this to allow as many IPs as is required. Just remember to make the changes in both .htaccess files. Here, and also in the .htaccess file located in the wp admin directory here so that the IP addresses match up in both files. Once you've added the desired IPs to both .htaccess files the admin area is pretty much locked down except for plug-in and theme files, which exist outside of the wp admin directory.
To see how the .htaccess code protects the admin area against unwanted access, let's try visiting the site from a proxy server. There are many free proxy services available online. For example, here's a free proxy service that's currently working so let's try accessing the login page by entering its URL and clicking the button. Nice. Just what we want. See the message at the top here? That means we are denied access to the login page so the .htaccess protection is working great.
We also can check the wp admin directory by requesting the following URL and it returned to the same "403 Forbidden" response so we know the technique is working, but do we still have access from our own IP address? Let's try visiting the login page without a proxy to find out. Here we are at the login page, entering the URL directly with no proxy service. We click login with our credentials and yup, we're all set. We continue to enjoy full access from our own IP address.
The admin area is now much more secure with this technique in place. Just remember, if your IP address ever changes, you will need to edit the two .htaccess files accordingly. In this video, we've better secured the WordPress admin area by protecting the login page and all of the files in the wp admin directory which is a very critical part of any WordPress site.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security