[OnCloud] Securing your Wordpress Application

=====Is my Wordpress site attacked?=====

Your Wordpress site may be vulnerable to brute force attacks. These actions are not solely targeted towards myhosting.com, they are international attacks on all WordPress websites.

As you may be aware, during our efforts to mitigate these attacks, we’ve implemented some restrictions on our network to limit the number of failed login attempts against WordPress sites. Now, over and above the previous measures, we are also removing access to all WordPress login pages by adding to the .htaccess file during the course of this attack.  This change will block access to only the wp-login.php page, the rest of the wordpress site is still fully accessible to all content browsers. We believe these proactive efforts are necessary to ensure the highest security to your website and prevent any unintentional service disruptions.

If your Wordpress administration has been blocked and you require access to your WordPress website urgently, then you can update your .htaccess file so that only requests from your own local static IP address will be accepted for logins. If you have a dynamic IP or accessing the WordPress from multiple locations, each of these IP addresses would need to be explicitly allowed in your .htaccess file as well. If you are unsure what the IP address is of your local machine, we suggest locating it using an IP lookup. In worst case scenario, you can remove the restriction lines as well entirely but this makes your wordpress website vulnerable to this attack, so please proceed with caution and make sure all wordpress user passwords are complex and secure.

=====How to Access WordPress=====

To enable your exclusive secure access to make any updates to your WordPress, we have documented the steps for each service where WordPress is available. The file has been given user write permission, so you can login and edit it through either ftp or the file manager. Below are documented steps to complete this.

Step 1 Log into FTP

Step 2 Locate your Domains Document root

Step 3 Right click the .htaccess file and select view/edit

Step 4 If your .htaccess file does not exist already as mentioned in the previous step, right click and select Create New File

Step 5 Add the following code, replacing 111\.111\.111\.111 IP with your own IP address (you can get this from http://whatsmyip.com )

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111$
RewriteRule ^(.*)$ – [R=403,L]
</IfModule>

Step 6 Save the file your FTP application will ask you to up load the file confirm the upload.

To further add, it is highly recommended that you make sure that your plugins are up to date.   Especially for those using WP Super Cache, please consider switching to latest version of W3TC or Quick Cache instead to further secure your site.

=====Wordpress reCAPTCHA=====

To further secure your Wordpress Application we recommend the use of a reCAPTCHA with your site which will reduce Login attempts on your site.

You can download the Plugin from Wordpress here 

Or, Install your own with the use of Google reCAPTCHA here

Was this article helpful?
1 out of 2 found this helpful