As your blog starts to get more popular, it will inevitably attract the attention of hackers. Some are simply out to get a free backlink or two, whereas others have much more malicious intentions. Whatever the case, you don’t want to make it easy for these bad people to get into the backend of your WordPress blog.
There are several measures that you can take to protect yourself, but one of the most critical is protecting the login area. This is because if a hacker manages to get into your WordPress dashboard, they effectively have access to everything that you would. They could edit pages, remove plug-ins, and do all sorts of other nasty things that could be a huge headache to repair.
If you typically update your blog from the same location — say, your home — then it might be a good idea to have an aptly-coded .htaccess file in the wp-admin folder. What this does is specify the exact IP addresses which should have access to the folder and thus, access to the login area. The code is actually quite simple:
order deny,allow
deny from all
# whitelist home IP address
allow from 20.20.20.20
Of course, you should replace the 20.20.20.20 with your actual IP address. You can add additional IP addresses by adding similar lines of code in your .htaccess file.
Alternatively (or in addition), you can implement something like the Login Lockdown WordPress plug-in. After a small number of failed attempts, access to the admin area is blocked for a certain amount of time.
Matt
February 14, 2008 6:49 pm
Allowing just your IP can be annoying if your ISP assigns you dynamic IPs instead of static ones…
Lee Down
February 19, 2008 10:54 pm
I’ve wondered about this, particularly as I wait for the Fantastico update to the recent WordPress security fix.
I’ve noticed new users create accounts. The issue of the fix has me paranoid so I’ve been deleting users unless they comment and I can verify who they are.
Now what I’m reading from your blog entry, is that this isn’t even necessarily the issue. You’re talking about someone simply hacking my own login??
Matt
February 20, 2008 8:16 pm
The issue with 2.3.2 was that users could use XMLRPC (it’s a protocal for, basically, remote blogging) to edit other users posts. If you just blog from inside the WP Admin panel, you can just delete the file “xmlrpc.php” from where WordPress is installed, which shall protect you until the Fantastico update rolls around (Fantastico should replace the file when you update).