WordPress does not restrict login attempts by default. The user is free to try any combination any number of times. This generosity of WordPress enables the hacker to use an attack known as brute force.
Brute force is simple and straight forward attack used by a hacker to gain access to a site. The target is not a known vulnerability in the software. Instead, username and password combinations are tried until one passes the check.
Brute force attacks are highly successful when the user uses a common name like admin and the password is short or found in the dictionary or as common as 12345678.
Brute force attacks are not guaranteed to succeed. But your server may still end up dead, being unable to handle the raw volume of requests generated by the attack.
[lp_ad]
By setting IP restrictions to the WordPress login page, you can protect your WordPress site from brute force attacks. In this tutorial, we will show you how to set IP restrictions to the WordPress login page on both Apache and Nginx web server.
Set IP Restrictions to the WordPress Login Page
The first thing you need to set IP Restrictions to the WordPress Login Page is the IP address you want to whitelist. This is easily done. Google will tell you your IP address if you type what is my IP. If you want to log in from multiple IP addresses then you need to get all of those IP addresses.
We will be modifying server settings here. Depending on whether you are using Apache or Nginx, do the following
Apache Users
If you are using Apache, then locate your server configuration file. Look for the virtual hosts file. If you don’t have access to your server configuration file then locate the .htaccess file. It should be present in the root directory of your server.
Nginx Users
Locate the server configuration block. Depending on how your server is configured, if may be in a separate configuration file or in the main server configuration file. Check the main configuration file and any additional files. Normally, you should check the following locations
- /etc/nginx/
- /etc/nginx/sites-enabled/
- /etc/nginx/conf.d/
Backup
Make sure to backup the server configuration file before you move any further. Even the smallest error in the configuration file will bring down your host server. The backup will help you when things don’t go so well.
Secure WordPress login from Static IP Address
If all users who log in to your site use static IP address (fixed IP address) then follow this method.
Apache Users
Edit the configuration file and add the following lines of code. If you are editing a virtual host then add it in the proper virtual host section. If you are editing .htaccess then just add it to the top of the file.
<IfModule mod_authz_core.c>
<Files wp-login.php>
ErrorDocument 403 http://example.com/error/404
<RequireAny>
Require ip x.x.x.x y.y.y.y z.z.z.z
</RequireAny>
</Files>
</IfModule>The above code relies on the mod_authz_core module. This module is available in Apache version 2.3 and later.
Any request to the wp-login.php file that does not originate from a white list IP will be denied. We are also redirecting 403 HTTP response code to 404.
First, change http://example.com/error/404 to the location of your 404 page.
Next, add all IP addresses that you want to whitelist by changing
Require ip x.x.x.x y.y.y.y z.z.z.z
to something like
Require ip 1.1.1.1 2.2.2.2 3.3.3.3Add as many IP addresses that you need separating each using a space character.
Nginx Users
Add the following lines of code to the server block of the configuration file.
location ~* (wp-login)\.php$ {
allow 1.1.1.1;
allow 2.2.2.2;
allow 3.3.3.3;
deny all;
}Edit the above code and change 1.1.1.1, 2.2.2.2 and others to the IP addresses you want to whitelist for login. You can white list as many IP addresses as you want. Just add a new line for each IP address.
If you are using PHP CGI then you will need to include the CGI parameters. This is because Nginx uses a single location block. Your configuration may look something like this
location ~* (wp-login)\.php$ {
include fastcgi_params;
allow 1.1.1.1;
allow 2.2.2.2;
allow 3.3.3.3;
deny all;
}Secure WordPress login from Dynamic IP address
If you are using Dynamic IP addressing (your IP address changes every now and then) then this is the method for you.
Attackers normally use bots to perform brute force attacks. To counter bots, we check whether the request originated from your server. All requests from other servers are blocked from accessing the login page.
Apache users
Add the following lines of code to the Apache configuration file
<IfModule mod_authz_core.c>
<Files wp-login.php>
ErrorDocument 403 http://example.com/error/404
<If "%{REQUEST_METHOD} == 'POST'">
<RequireAll>
Require expr %{HTTP_REFERER} =~ /.*example.com.*/
</RequireAll>
</If>
</Files>
</IfModule>The first part of the code is similar to the code we used earlier for static IP addresses. Edit and update the line
Require expr %{HTTP_REFERER} =~ /.*example.com.*/and change example.com to your domain name. Just like earlier, you will also need to change http://example.com/error/404 in
ErrorDocument 403 http://example.com/error/404to the location of your 404 page
Nginx Users
Locate your server block in the configuration file and add the following lines of code
location ~* (wp-login)\.php {
if ($http_referer !~ (example.com)) {
return 403;
}
}Edit the above code and change example.com to your domain address.
Again, if you are using PHP CGI then you will you will need to include the CGI parameters. Your settings may look something like
location ~* (wp-login)\.php {
if ($http_referer !~ (example.com)) {
return 403;
}
include fastcgi_params;
}Note that we are returning HTTP Error 403 Forbidden response code. You can return 404 error code if you want.
Warning
The above technique relies on HTTP refer header which can’t be trusted! The attacker can easily set this header and bypass the above protection layer.
Play it safe – Limit Login Attempts
A simple way to prevent brute force attacks is to limit the number of failed login attempts. Let’s say block any user for an hour when he/she fails to log in after 3 attempts. This will protect you no matter whether you are using a static IP address or dynamic IP addresses.
There are many free plugins which can get this done. Check the official WordPress plugin repository.
Conclusion
We hope you found this tutorial useful and managed to set IP Restrictions to the WordPress Login Page on Apache and/or Nginx web server. Drop us your feedback in the comments section below.
