is htacces limit to ip enough for wordpress security

This plugin has, among other things, a great interface with a tab where you can change the login URLs very easily to anything you want. Might be worth checking out…
https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

But plugin, like WP depends on what is your server whole setup.

It’s to be managed at both levels, like every plugin.

is htacces limit access to wp-admin to my ip only enough for wordpress security

restricting access to wp-admin from one IP is part of a good security plan. Making regular backups of your site, long passwords, plugins like wordfence are others. you should read about Hardening WordPress.

Even using htacess to restrict access to wp-admin will not stop the attacks. There are million and millions of zombie computers running scripts attempting to login to sites not to mention the search engins trying to grab your information.

One thing I do to a couple of my sites is ban entire ranges of IP addresses (I suport a local church’s website in the US, no need for anyone using an IP from China, russia, Peru, Nigeria, Germany etc to access the site) – I’m currently banning over 65,000,000 IP addresses and adding more every week aor so. i go thru my logs and check out where the IP is coming from (if you want to lookup the IP google ‘ip lookup)

Even using htacess to restrict access to wp-admin will not stop the attacks

but it would stop the user login attacks.

The attempts will continue, but it will block them from making it to WP itself. Don’t forget that unless you are on a dedicated IP, you might find yourself blocked oneday if your IP address gets reassigned.

i installed the plugin all-in-one-wp-security-and-firewall and its great plugin for me,
also I use htaccess to block all wp-admin to all but my ip, but im getting this message:

A lockdown event has occurred due to too many failed login attempts or invalid username:
Username: dossihost
IP Address: 195.154.243.31

IP Range: 195.154.243.*

Log into your site’s WordPress administration panel to see the duration of the lockout or to unlock the user.

how i still get login attemps after i blocked access via htacces to my ip only?

What did you use in the .htacces to allow only your address?

I created htacces file in wp-admin folder with this code:

order deny,allow
allow from *.*.*.*
deny from all

is the *.*.*.* rpresenting your actual IP address?
try

order deny,allow
deny from all
allow from <your ip>

you could also put this in the wp root folder’s htaccses

# ==========================================================
# protect wp-login.php
# ==========================================================
<files wp-login.php>
order allow,deny
deny from all
allow from <your ip>
</files>

why change the order is it really matters? in all the sites that explain how to use it, they do it like i did.(of course *.*.*.* rpresenting my actual IP address)

@drmosko

Order is crucial in .htaccess, it defines how a folder will work (from top to bottom, if it’s wrong written just by a line above/bottom, it will generate false positives or errors).

Document yourself with regex, php, and htaccess, actually juggledad code is very good if suited to your need.

ok changed it to

order deny,allow
deny from all
allow from my ip

after I change it I also got attacked, why is that, I checked with another ip and I cant got to wp-admin files, so how can it be?

Here is a possibility https://locallost.net/?p=129
and for what it;s worth, I’m having the same issue – started this weekend an IP I have banned in htaccess is still trying to login.