Securing your Wordpress Application

=====Is my Wordpress site attacked?=====

Your Wordpress site may be vulnerable to brute force attacks. These actions are not solely targeted towards, they are international attacks on all WordPress websites.

As you may be aware, during our efforts to mitigate these attacks, we’ve implemented some restrictions on our network to limit the number of failed login attempts against WordPress sites. Now, over and above the previous measures, we are also removing access to all WordPress login pages by adding to the .htaccess file during the course of this attack.  This change will block access to only the wp-login.php page, the rest of the wordpress site is still fully accessible to all content browsers. We believe these proactive efforts are necessary to ensure the highest security to your website and prevent any unintentional service disruptions.

If your Wordpress administration has been blocked and you require access to your WordPress website urgently, then you can update your .htaccess file so that only requests from your own local static IP address will be accepted for logins. If you have a dynamic IP or accessing the WordPress from multiple locations, each of these IP addresses would need to be explicitly allowed in your .htaccess file as well. If you are unsure what the IP address is of your local machine, we suggest locating it using an IP lookup. In worst case scenario, you can remove the restriction lines as well entirely but this makes your wordpress website vulnerable to this attack, so please proceed with caution and make sure all wordpress user passwords are complex and secure.

=====How to Access WordPress=====

To enable your exclusive secure access to make any updates to your WordPress, we have documented the steps for each service where WordPress is available. The file has been given user write permission, so you can login and edit it through either ftp or the file manager. Below are documented steps to complete this.

Step 1: Login to your cPanel

Step 2: Under the Files section, click on File Manager.

Step 3: Select the Document Root for: option, and choose your domain from the drop-down.

Step 4: Ensure that Show Hidden Files is selected.

Step 5: Then click Go.

Step 6: Right-click on the .htaccess file and select Edit.

Step 7: If your .htaccess file didn’t exist already during the previous step, click on New File at the top-left, name the file .htaccess, and finally set the directory for the file to be created to /public_html/ or the document root of your site.

Step 8: You might have a text editor encoding dialog box pop-up, you can simply click on Edit.

Step 9: Now simply paste the following code, replacing the 123\.123\.123\.123 IP address with your own:
<IfModule mod_rewrite.c>

RewriteEngine on
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteCond %{REMOTE_ADDR} !^
RewriteRule ^(.*)$ – [R=403,L]

Then click on Save at the top-right of the editor.

Step 10: Wait at least 15-20 minutes, and then try to login to your WordPress site again. Unfortunately even if you simply try to access the WordPress admin dashboard, still within the 15 minute window of a block, this could extend the block an additional 15 minutes, so it’s important to wait for the previous bock to expire before attempting to access your WordPress site again.If you did need immediate access to your WordPress dashboard again, you could implement the.htaccess rules above, and then disable mod_security. I would recommend re-enabling mod_security right after disabling it, so that other security risks are still blocked from your account.

To further add, it is highly recommended that you make sure that your plugins are up to date.   Especially for those using WP Super Cache, please consider switching to latest version of W3TC or Quick Cache instead to further secure your site.

=====Wordpress reCAPTCHA=====

To further secure your Wordpress Application we recommend the use of a reCAPTCHA with your site which will reduce Login attempts on your site.

You can download the Plugin from Wordpress here 

Or, Install your own with the use of Google reCAPTCHA here

Was this article helpful?
0 out of 0 found this helpful