is htacces limit to ip enough for wordpress security

did u try their solution?

What I’m trying is just putting my list of deny ip at the top of my hatches to see how that goes. Si I have
deny from 1.163.
deny from 1.169.
.
.
.
deny from 93.114.
etc at the very begining of my htaccess file and everything else after. I’ll just have to wait and see how it goes.

This is the format to use if you want to whitelist an IP for both login and access to wp-admin; you have to do both to limit to your IP (in the example below 12.345.67.891 and allow from 98.765.43.21). This will block everyone else from login and admin:

This goes in an .htaccess file in wp-admin (you may need to create a new, blank .htaccess file):

Options All -Indexes

order deny,allow
deny from all
allow from 12.345.67.891
allow from 98.765.43.21
deny from all

And in the root .htaccess, add this above the WordPress rewrite block:

<Files wp-login.php>
order deny,allow
deny from all
allow from 12.345.67.891
allow from 98.765.43.21
deny from all
</Files>

@juggledad

it’ll be a lot of blacklisting the hackers change their ip, so purchase static ip and allow only that and deny all the others

@ songdogtech

we tried this method, but the problem is Hackers bypass .htaccess security by using GETS rather than GET

@juggledad
I found that in the root folder www/public_html there are two files that may be the problem and grant access to all:

wp-signup.php
wp-login.php

there for limit the access as so:

<Files wp-login.php>
order allow,deny
deny from all
allow from <ur ip>
</Files>
<Files wp-signup.php>
order allow,deny
deny from all
allow from <ur ip>
</Files>

You can condense that to

<Files ~ "(wp-login.php|wp-signup.php)">
      Order Allow,Deny
      Deny from all
      Allow from <ur ip>
</Files>

Great tx, did it solve the attacks for u?

I got another mail “A lockdown event has occurred due to too many failed login attempts or invalid username:
Username: Admin
IP Address: 195.154.243.31

IP Range: 195.154.243.*

Log into your site’s WordPress administration panel to see the duration of the lockout or to unlock the user
” after the all changes

now i tried to disable xmlrpc
by adding this to config.php

add_filter('xmlrpc_enabled', '__return_false');

Hello DrMosko,

Are you successful with that approach? We discussed that on other topics and in general it doesn’t work.
(I prefer a .htacess block for many reasons, but always learning with forums).

Also, as xml-rpc is used by thousands of thousands of people world-wide, just follow SongDogTech recommendations above for .htaccess and server (depends your server and if you use jetpack).

hello digico
Im still testing it, ill get back to u with that,

can u pls explain to me what is xml-rpc for?

hello DrMosko,

Like many told me, it’s an open door for many and many sites/apps to your sites (the simple way to explain is, it’s a feed to your posts that can be automtically posted to many sites but it’s way more than that).

Again, like i was corrected, xml rpc feed of any wp site like yours can be read by any bot, so; it can be easily used by google bot, or any social crawler like twitter to parse your news.

Also, James huff explain that better than me, but, xml rpc is a backdoor to update and write on any device. Making WordPress so versatile and easy to write/publish even on any device.

Regards,

so if i only update the wordpress site content from the site itself, there should be no problem.

by the way no attacks yet ??

yes, and if host is good (75% of hosts worldwide, that care about WP cluster), they have a decent hardware firewall and so which is very strong.

have a nice day,