DIGIPOWER Tutorials

Trang chủ | | Danh mục bài viết yêu thích | Liên hệ | Đăng nhập Trang chủ | | Danh mục bài viết yêu thích | Liên hệ | Đăng nhập
Tìm kiếm các bài viết theo từ khoá Liệt kê theo danh mục
Prevent unauthorized WordPress wp-admin and wp-login.php attempts
Chi tiết bài viết

Lần cập nhật cuối
6th of August, 2015

Ý kiến người dùng (16 Bình chọn)
12% thumbs up 87% thumbs down

Làm thế nào bạn sẽ đánh giá câu trả lời này?
có ích
không hữu ích

In this article I'll show you how to lock down and password protect your WordPress website from invalid login attempts. We'll do this by limiting access to the /wp-admin directory and the wp-login.php script.

This guide was written in response to the WordPress wp-login.php brute force attack of April 2013.

Password protect WordPress logins

Using the steps below, I'll show you how to create password protection for your /wp-admin directory. We'll also copy those rules over to protect your wp-login.php script to keep WordPress as safe as possible.

If you get a redirect loop, make sure you have these ErrorDocument tags in your .htaccess file:

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

Please also make sure to allow /wp-admin/admin-ajax.php requests without password protection.

  1. click on password protect directories

    Under the Security section, click on Password Protect Directories.

  2. select document root click goSelect the Document Root for your domain, then click Go.
  3. click on wp adminClick on your wp-admin directory.
  4. check password protect name directory click save

    Check Password protect this directory, give it a name, then click Save.

  5. click go backNow click on Go Back.
  6. click on password generator and use passwordClick on Password Generator.
    Click on Generate Password a few times, and copy your password.
    Check I have copied this password in a safe place.
    Then click Use Password.
  7. click on add authorized userNow type in a Username, then click on Add/modify authorized user.
  8. authentication required click on log inTry to access your /wp-admin directory.
    Your browser will prompt you for the password you just created.
    Type in your username / password, and click Log In
  9. wordpress admin click on log inYour normal WordPress admin login page should now display.
  10. You may encounter a re-direct loop at this point. If so, please ensure you've created the error documents mentioned earlier.

  11. click on file manager and goNow go back to cPanel.
    Under the Files section, click on File Manager.
    Select the Document Root for your domain.
    Check Show Hidden Files (dotfiles), then click Go.
  12. click on wp admin and edit htaccess fileFrom the left-hand directory listing, expand public_html.
    Click on wp-admin, then right-click on your .htaccess file.
    Then click on Edit
    For the encoding pop-up, click on Edit again to bypass that.
  13. copy htaccess text

    Copy all the code in the .htaccess file.

    While you still have the /wp-admin/.htaccess file open, also go ahead and add the code in red:

    ErrorDocument 401 "Denied"
    ErrorDocument 403 "Denied"

    # Allow plugin access to admin-ajax.php around password protection
    <Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
    </Files>

    AuthType Basic
    AuthName "Secure Area"
    AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
    require valid-user

    Now make sure to save the /wp-admin/.htaccess file with the added code in it. Because on the next step you'll just be editing the /public_html/.htaccess file.

  14. click on public_html and edit htaccess fileFrom the left-hand directory listing, click on public_html.
    Right-click on your .htaccess file, then click on Edit.
  15. save public_html htaccess file

    Now paste the .htaccess code you copied, in-between some <FilesMatch> tags, so that it ends up looking like this:

    ErrorDocument 401 "Denied"
    ErrorDocument 403 "Denied"

    <FilesMatch "wp-login.php">
    AuthType Basic
    AuthName "Secure Area"
    AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
    require valid-user
    </FilesMatch>

    Then click on Save Changes up at the top-right.

    Code review

    You should now have the /wp-admin/.htaccess file that password protects the /wp-admin directory. You then copied that same password protection over to just your main .htaccess file, so that it can also password protect your wp-login.php script directly as well.

    /public_html/wp-admin/.htaccess

    /public_html/.htaccess

    ErrorDocument 401 "Denied"
    ErrorDocument 403 "Denied"

    # Allow plugin access to admin-ajax.php around password protection
    <Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
    </files>

    AuthType Basic
    AuthName "Secure Area"
    AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
    require valid-user

    ErrorDocument 401 "Denied"
    ErrorDocument 403 "Denied"

    <FilesMatch "wp-login.php">
    AuthType Basic
    AuthName "Secure Area"
    AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
    require valid-user </FilesMatch>

  16. wp login bad password attempt

    Now if someone tries to directly login via wp-login.php they will be prompted for a valid user as well.

  17. wp login bad password attempt blocked

    When a user enters invalid credentials are, they will get an Authorization Required error. They will then not be able to attempt to login to your WordPress admin directly.sd

Các bài liên quan
Không có bài viết liên quan đã được tìm thấy.
File đính kèm
Không có File đính kèm nào được tìm thấy.

Tiếp tục

Knowledge Management