In an earlier article, we spoke about password protecting wp-login.php with HTTP authentication. There, we came up with this amazing analogy that if your WordPress were a house, HTTP authentication would be a fence to it. Now, imagine deploying a guard at your fence door to further secure your house (your WordPress site). This guard would check the ID (read IP address) of every visitor and allow (or deny) a selected few.

IP address

In this article, we’ll teach you how to provide restricted access through the fence door to only select IP addresses. Of course, for this to work, your internet connection needs to have a static IP address first. If you aren’t sure what your IP address is, you can always Google ‘IP address’.

How to Restrict Access by IP to your wp-admin Directory

To begin with, download the .htaccess file from your wp-admin directory using a third-party FTP client like FileZilla. In case there isn’t already an .htaccess file in your wp-admin directory, go ahead and create a new one. Then, add the following lines at the end of your .htaccess file:

order deny,allow
allow from your.IP.address
deny from all

The above directive allows only a single IP address to access your admin dashboard. This will apply in case you solely access your WordPress dashboard from a single location. In the given example, you need to mention your IP address in place of ‘your.IP.address’.

Now, if you access your dashboard from multiple locations, you’ll need to list out all those IP addresses in the directive. For this, you’ll need to mention individual IP addresses in individual ‘allow from’ lines as shown below:

order deny,allow
allow from your.IP.address.1
allow from your.IP.address.2
allow from your.IP.address.3
deny from all

Blocking Specific IP Addresses

It has been seen that a large number of attacks come from specific regions or set of IPs. To block these culprits at the htaccess level itself, you can include the following syntax in your .htaccess file:

order deny,allow
deny from IP.address.1
deny from IP.address.2
allow from all

Mention the IP addresses you wish to blacklist in place of ‘IP.address.1’ and ‘IP.address.2’. If the blocked IP addresses try to access your dashboard, they’ll get a default ‘403 Forbidden’ error message.

403 error ip address ban

Once you’re done, save the changes and upload the .htaccess file back to the wp-admin directory. In case you make such a change to the .htaccess file in the root directory of your WordPress, all website visitors, apart from you, will receive the ‘403 Forbidden’ error message. Therefore, be sure to make the changes to the .htaccess file in the wp-admin directory of your WordPress alone.

Fixing the Admin Ajax Issue

Limiting access to WordPress wp-admin using IP address tends to break the front-end Ajax functionality. Therefore, if any of your plugins use Ajax in the front end, add the following code to the .htaccess file in your wp-admin directory for fixing the Ajax issue:

<Files admin-ajax.php>
order allow,deny
allow from all
satisfy any
</Files>

For increased security, it is always advisable to use the method discussed above for limiting access via IP address in conjunction with password protection. Also, your IP address will change if you change your internet service provider. So don’t forget to update your .htaccess file in such a case.

The WordPress admin dashboard can only be accessed by entering in your username and login password. It is good practice to use a strong login password at all times, as this makes it difficult for bots and hackers to break into your admin dashboard. However, the internet has never been a very safe place, and no amount of security is ever enough. Therefore, it’s always good to have as many layers of security as (sanely) possible, to keep hackers at bay.

Password Protect

While login credentials are a robust security measure at the WordPress application level, we can add further security using HTTP Basic Authentication (BA). HTTP BA is the simplest technique for enforcing selective restriction of access to your web resources, making it a system level security. But well, enough nitty-gritty for now, lets try to understand this with a simple analogy. Imagine your WordPress site to be a house. Although the house’s main door (read login credentials) is a vital part of security, it may not be enough, and you might want to add a fence around your house as an additional security measure. HTTP authentication is one such ‘fence’ for the protection of your WordPress site. Anyone who wants to enter your admin dashboard will first need to go through the HTTP authentication (your fence) and then enter in their login credentials (your main door).

To secure your WordPress site with HTTP authentication, you need to first generate a .htpasswd file, where you’ll list all authorised usernames and their respective encrypted passwords. Following our analogy, think of this as setting up a door to your fence. One can leverage .htpasswd only on an Apache server, since .htpasswd is an Apache password file. Good news is, Apache is the most commonly used web server software worldwide. This makes it highly probable that your site is running on Apache.

Creating a .htpasswd File

You can use the htpasswd command line tool to create a new .htpasswd file. In your command line, use the following code:

htpasswd -c .htpasswd harini

Here, ‘-c’ stands for ‘create’ and should only be used while creating a new .htpasswd file. ‘harini’ is a case-sensitive username for our HTTP BA. On hitting enter, you’ll be prompted to enter the password you would like to use. By default, the htpasswd tool encrypts your password using MD5.

htpasswd 01

In the case that you already have an existing .htpasswd file, and would just like to add a new username to it, you should use the following command line:

htpasswd .htpasswd rahul

htpasswd 02

Note that you don’t have to use the ‘-c’ switch in this command, since you don’t have to create a new htpasswd file here.

A typical htpasswd file looks like this: ‘username:encrypted_password’. For instance, a sample .htpasswd file that contains users harini and rahul would look like:

sample .htpasswd file

If you aren’t able to get your hands on the htpasswd tool, you can easily generate your .htpasswd entry (username-encrypted password pair) using this htpasswd generator.

Now that you’ve successfully created the .htpasswd file, you have a lot of flexibility over where to place it, however it is advisable to store it in a directory that can’t be accessed directly through the web. One such good location would be one level above the WordPress install directory. This will ensure that your Apache password file remains secure, even if your web server software were to get corrupted.

Password Protecting wp-login.php

With the .htpasswd file ready and stored in a safe position, you can now go on to restrict access to your wp-login.php file. For this, you’ll need to specify the following things in your .htaccess file:

  • what file to restrict?
  • where to get HTTP BA credentials from?

Assuming .htaccess file is at WordPress install directory level, adding the following lines of code in the file will do this for us:

<Files wp-login.php>
AuthUserFile /path/to/.htpasswd
AuthName "Private access"
AuthType Basic
require valid-user
</Files>

Here, you need to focus on the following two lines:

AuthUserFile /path/to/.htpasswd: Make sure you provide the correct path to your .htpasswd file in place of ‘/path/to/.htpasswd’.

require valid-user: The ‘valid-user’ keyword tells Apache to provide any user mentioned in the .htpasswd file with access to the wp-login.php file. In case you want to grant selective access to the file, instead of using ‘valid-user’, you can just mention the usernames you’ll like to provide access to. For example, if there are three usernames mentioned in the .htpasswd file, out of which you want to grant access to only two users, say user01 and user02, and not to user03, you’ll use the following require directive:

require user user01 user02

Once you’re done, save the file and upload it to the directory that contains the wp-login.php file. Now, the next time you try to login to your WordPress dashboard, you will find your browser prompting for authentication even before the admin-login screen is loaded, just like the fence we discussed.

http authentication protect wp-login.php

A .htaccess file is a distributed configuration file that’s present not just in WordPress, but in all Apache web hostings. .htaccess files can be used to boost your website’s performance, security and usability. A few features that you can enable or disable using a .htaccess file include server signature, file caching, URL redirection, password protection and custom error pages.

WordPress installations may or may not contain the .htaccess file in the root directory, depending on your permalink structure; while a default ‘ugly’ permalink structure comes sans .htaccess, a pretty permalink structure auto creates a .htaccess file in your WordPress. In case you’re using default WordPress settings (read an ugly permalink structure), it is highly advisable to change it to a pretty permalink structure. Now assuming that you want to enable default pretty permalinks, create a new notepad file and rename it to .htaccess (not .htaccess.txt). Include the following basic code in the file:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Save the changes and upload the file to your WordPress root directory using FTP.

Protect your .htaccess File

To protect your .htaccess file from external users and to tighten website security, it is recommended to add the following code to the .htaccess file:

<Files .htaccess>
order allow,deny
deny from all
</Files>

While making any modification to your .htaccess file, it is important to remember that even a tiny error in the .htaccess file can cause a major issue on your website, so much so you might even end up disabling your entire server with one simple typo. Hence, it is advisable to make a backup of your .htaccess file before making any changes to it. This way, if something goes wrong, you can always revert to the backup version of the file.

 

As an avid reader of books and various articles both in newspapers and online I have always had the urge to test my writing skills. The usage of jargons and the blend of sophisticated words that the authors achieved with their articles always enticed me. I wanted to start with a blog of my own and so went about researching the requirements to start a blog and the whats and hows of blogging. After talking to several blogging enthusiasts I came to know that blogspot.com or bloggers.com are the different websites that break the entry barrier for an individual to blogging. Though I don’t understand much about the technicalities that go behind building a blog and making it attractive for users to read I realised bloggers.com or blogspot.com are not much help in terms of their GUI, themes and plug-in support etc. I turned to my friend Akshat Choudhary for help and he suggested I go for WordPress based blogs which with a very intelligently designed code enhance the look and feel of your website.
I had to know what WordPress will do for me and so followed up on it. I went through the book ‘WordPress for Dummies’ by Lisa Sabin-Wilson for a start and then supported the knowledge by going through articles on the web. I started with WordPress tutorials on WordPress.org and then went through different articles posted on wp.tutsplus.com and elitebydesign.com. For a person who is passionate about blogging and wants to maintain an online diary WordPress will provide the best interface through which you could connect to your readers. Today, WordPress is the largest self-hosted blogging tool in the world being used by millions of websites with tens of millions of views everyday. The best thing about WordPress is that it is an Open Source project which can be used by anyone over the web which means you can use it for anything be it your personal diary, your travel accounts or your views on any subject for that matter. Some of the features offered by WordPress are private and password protected posts, easy importing, installation and upgrades, a full themes system, multiple authors, spam protection and intelligent text formatting. So, ‘WordPress is only limited by your imagination’.

An Introduction to WordPress

Now that your blog is ready you would want to ensure its longevity, right? Malware, spam and crashes are the nighmares of any successful blogger but with blogVault.net which backs and secures your WordPress site you can put your worries aside. It not only says it backs your blog but also shows where your blog has been backed and secured through its unique Test-Restore feature.
If you are already using WordPress back it with blogVault and if you are gonna start blogging with WordPress back it with blogVault – The best solution for the security and backup of your WordPress site.