There are many ways to protect the wp-login.php webpage, at least limit the attempts. For a single server single website setup, we should try to avoid (i) hosting a mail server on the web server and (ii) self-hosted forms. Today, there are many types of SaaS which provide the required services. If you ever forget your login password, you can reset it from the MySQL command line.
Methods to Protect WordPress wp-login Page
Use IP Geo Block WordPress Plugin
The only way to prevent brute force is by filtering by IP. There is an excellent WordPress plugin for this purpose – IP Geo Block (we discussed IP Geo Block long back).
---
This plugin helps you to configure what error you’ll throw to the IPs which are not of your country. That will block at least 70%. This plugin will give you an excellent log with graphical analysis.
Use Fail2Ban and Integrate With WordPress Plugin
We have a lot of articles on how to configure Fail2Ban on the server. It is an extremely powerful software when properly configured.
There is a WordPress plugin to integrate Fail2Ban – https://wordpress.org/plugins/wp-fail2ban/. Also, many of the users have written their own scripts for Fail2Ban to protect the wp-login.php webpage.
Apache mod_security
We have described how to Configure Apache mod_security for WordPress. Always activate mod_security at least when you’ll not edit the posts at the backend for a few days.
Use .htaccess to Limit by IP
It is very easy to allow only a few IPs to access your website’s wp-login.php file. You have to edit the below code and add it to .htaccess:
1 2 3 4 5 6 7 8 9 10 11 | <Files wp-login.php> order deny, allow Deny from all # whitelist Your IP address allow from xx.xxx.xx.xx #whitelist some other user's IP Addresses allow from xx.xxx.xx.xx </Files> |
However, your all devices will need an IP from a VPN provider. This method is robust but you can limit yourself. You can always add a password via .htaccess. Copy the following lines of code into your .htaccess file under the/wp-admin directory (you will need to create a new file):
1 2 3 4 | AuthType Basic AuthName "Protected Area" AuthUserFile /path/to/somewhere/.htpasswd require user [Username] |
Create a new file named .htpasswd. Enter the username(s) and password in the following form:
[Username]:[EncryptedPassword]
You can easily generate the encrypted password yourself online by searching the term “generate .htpasswd”. You can do it on your server as well.
Use a Firewall
Application firewalls including that offered by Cloudflare can effectively reduce the risks.
Conclusion
If you combine the methods described above, your wp-login.php file will be secured. However, always take nightly backups and test the backup at least every week.
Of course, use a unique username and a strong password.
