Following up on the humongous attack on all WordPress sites worldwide, early April this year…
Honey, we’re ba-hack!
We are very keen on having a safe environment for all our customers and last but certainly not least, we love having clean servers that do not execute programs written by hackers.
Early this year we added a two-step authentication for all WordPress installations. We took it off after the attacks seemed to have stopped. Untill now! We want to take a different approach this time, because not all of you appreciated the hassle of having to input two sets of user credentials.
This approach is easy to implement but needs your action! Add the code below to your .htaccess in the root of your domain.
Find out what your IP is here: http://www.whatismyip.com/ or visit https://evershosting.com/client/cart Your IP is at the bottom of the page. If you need to add more than one workspace (IP), add more Allows like shown in the code
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files><Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 1.2.3.5
Allow from 1.2.3.4
</Files>1.2.3.4 #change to your own IP
If you know how to edit files via FTP you edit a file called .htaccess manually. It resides in public_html
Be sure to use a plain text editor like NotePad or something more ‘pro’ like NotePad++ orĀ Sublime Text
Using a plugin to do the dirty work
WP htaccess Control
(version 3.3 at the time of writing this post)
Find it and install
Open the plugin settings page
Add the code to the Custom htaccess using your own IP.
#start of custom code
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 1.2.3.4
</Files>
#end of custom code
Save!
It’s confirmed working on the latest WordPress 3.6
We can do this for you, once requested
Addition for websites with multiple (admin) users
If you have a webshop or a multi-blogger environment, the above method won’t do.
Instead use the following code for your .htaccess
#begin custom code
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files><IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-login\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://www.google.com [R=301,L]
</IfModule>#end custom code
Any attempt to directly login to your WordPress administration area will result in a redirect to Google. In order to login as a legitimate user you have to create a link on your homepage (e.g. in your footer). You can use a widget for this.
Here’s some example html to be used in a custom text widget:
<a href=”http://yourdomain.com/wp-login.php”>
<img style=’float:left;margin-right:10px;’ alt=”icon” src=”https://evershosting.com/img/icons/icon-user.png”>Login
</a>
Without the icon:
<a href=”http://yourdomain.com/wp-login.php”>Login
</a>
UPDATE: Protection is now automatic for Evers Hosting clients!