Introduction#
WordPress is currently the most popular CMS, and as a result, brute force attacks on its login page are constantly ongoing.
If you have installed a plugin called Simple Login Log, you will know how insane the number of brute force attempts is every day. This plugin records every login attempt to the backend, whether successful or not.
Because of this, it is better to be proactive and take some preventive measures. This tutorial will explain how to restrict IP access to the WordPress backend login screen using Apache on a VPS.
Configuring Apache httpd#
With Apache, you can restrict IP access to a specific file or folder. For detailed instructions, please refer to the Files Directive documentation.
Below is a simple guide on how to restrict access to the WordPress backend login screen file wp-login.php.
For example, if you only want to allow the IP address 192.168.2.1 to access it, you can add the following configuration to either the Apache configuration file httpd.conf or the .htaccess file in the website's root directory.
<Files "wp-login.php">
Order Deny,Allow
Deny from all
Allow from 192.168.2.1
</Files>
If you want to allow a range of IP addresses, such as 192.168.2.*, you can use the following configuration:
<Files "wp-login.php">
Order Deny,Allow
Deny from all
Allow from 192.168.2
</Files>
If you want to allow multiple IP addresses, such as 192.168.2.1 and 192.168.2.2, you can use the following configuration:
<Files "wp-login.php">
Order Deny,Allow
Deny from all
Allow from 192.168.2.1 192.168.2.2
</Files>
Method for No Fixed IP#
If you already have a VPS, then this is not an issue.
VPSs use fixed IP addresses, so you just need to use a few one-click scripts from this site to set it up within minutes, and then use a socks5 proxy. This way, you will have a fixed IP.
Of course, if you don't want to use the methods mentioned above, there is another option, which is to install the SiteGuard WP Plugin plugin.