Password Protect or IP Restriction on WordPress wp-admin Folder (htaccess and htpasswd)

in wordpress •  2 years ago 

wordpress

wp-admin folder is the most important folder in a wordpress installation. It mainly contains the code for the Dashboard. However, there is an important file admin-ajax.php which is also necessary to send requests to backend via the wordpress UI. So simply blacklisting entire wp-admin folder may break the site functionalities.

I have been getting lots of warnings from the Plugin "Limit Login Attempts":

Wordpress Limit Login Attempts Email Warnings

Although, this plugin is sufficient in protecting your wordpress login dashboard from bruteforce attacks by lockout the incorrect attempts, but I feel it necessary to add one more extra protection.

Whitelisting admin-ajax.php in .htaccess


We can specify access rules in the .htaccess file is a hidden file at the root folder or wp-admin folder. But we have to first whitelist the admin-ajax.php and we can do it via the following:

# placing this at wp-admin folder
<Files /admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

IP Restriction in .htaccess


Then, we can allow certain IPs to access /wp-admin only (whitelisting IP Addresses), via the following (place it the Files section mentioned above):

<Limit GET POST PUT DELETE PATCH>
order deny,allow
deny from all
allow from 12.34.56.78
</Limit>

We could also add "ErrorDocument 401 default" at the top of the .htaccess so that 401 will be shown to user if access is denied. Here is the entire source of .htaccess if you want to allow only certain IPs to be able to access the /wp-admin folder (whitelisting admin-ajax.php):

# placing this at /wp-admin folder
ErrorDocument 401 default

<Limit GET POST PUT DELETE PATCH>
order deny,allow
deny from all
allow from 12.34.56.78 # multiple whitelisted IP addresses separated by comma
<Limit>

<Files /admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

Password Protect the Folder in .htaccess (.htpasswd)


We can also set a username and password. The credentials are stored in .htpasswd file which should be placed outside the website directory to reduce the accidental visibility (place it at your home directory for safety and remember to set the corresponding file permissions).

The .htpasswd is a text file and each line specifies a username:password format. The password is the MD5 Hash of the password.

# each line is a user
username:password_md5_hash

And then we can specify the password protection in .htaccess (complete source of .htaccess and whitelisting the admin-ajax.php): The AuthUserFile gives a complete path to .htpasswd credential file:

# placing this at /wp-admin folder
ErrorDocument 401 default

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/user/.htpasswd
require valid-user

<Files /admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

Then, when visiting /wp-admin, you should see a authentication dialog that pops up:

sign-in-dialog

If invalid credentials are provided, you should see the following message (401 Unauthorized):

Unauthorized This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

Apache/2.4.41 (Ubuntu) Server at helloacm.com

We need to test /wp-admin/admin-ajax.php to see if is being whitelisted - that will return 400 Bad Request and a content body "0"

--EOF (The Ultimate Computing & Technology Blog) --

Reposted to Blog

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Thank you for reading ^^^^^^^^^^^^^^^

NEW! Following my Trail (Upvote or/and Downvote)

Follow me for topics of Algorithms, Blockchain and Cloud.
I am @justyy - a Steem Witness
https://steemyy.com

My contributions

Steem/Swap to USDT Swap

I also made this Super Easy/Handy Service to Convert your STEEM or SBD to USDT (TRC-20)

Delegation Service

Voting Power Considered in Voting Schema and Important Update of Delegation Service!

  • Delegate 1000 to justyy: Link
  • Delegate 5000 to justyy: Link
  • Delegate 10000 to justyy: Link

Support me

If you like my work, please:

  1. Delegate SP: https://steemyy.com/sp-delegate-form/?delegatee=justyy
  2. Vote @justyy as Witness: https://steemyy.com/witness-voting/?witness=justyy&action=approve
  3. Set @justyy as Proxy: https://steemyy.com/witness-voting/?witness=justyy&action=proxy
    Alternatively, you can vote witness or set proxy here: https://steemit.com/~witnesses

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE BLURT!
Sort Order:  
  ·  2 years ago  ·  

I am also getting errors while login, of multiple failed attempts but no emails.
I think the plugin be having issues.

Thanks for sharing this

  ·  2 years ago  ·   (edited)

I think you would need to install another plugin for email to work properly: WP SMTP Email

  ·  2 years ago  ·  

This is configures and working, but it was the issue with the restrict login (maybe we have different plugins)