Preventing Login through Hardening WordPress

Sometimes malicious users try to gain access to poorly secured WordPress websites.

The code you enabled within wp-login.php is preventing that and only allowing users to login through the allowed IP addresses within that IP table.

There may be a way to disable the login attempt notifications, but it’s recommended to keep them on to see what is going on.

Thank you @daviduzelac for responding and contributing.

But I have a very fundamental lack of understanding on the hardening process. “How” can anyone even get to the login screen (other than from the 2 IP’s whitelisted) if the Apache directives shown above in my OQ are implemented?

A couple of different .htaccess directives you could experiment with:

Allow login access from multiple IPs only:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Dynamic IP address access, limited by referrer (replace example\.com with your own domain name):

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^https://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>

Restrict access to login, register & signup:

## Registration is disabled so...
## White-list your own IP address/es. Change the numbers!!
RewriteCond %{REMOTE_HOST} !1.1.1.1
RewriteCond %{REMOTE_HOST} !2.2.2.2
## Uncomment to deny access to wp-login.php
# RewriteCond %{REQUEST_URI} wp-login\.php [NC,OR]
# RewriteCond %{QUERY_STRING} wp-login\.php [NC,OR]
# RewriteCond %{THE_REQUEST} wp-login\.php [NC,OR]
## Leave uncommented to deny access to wp-signup.php and wp-register.php
RewriteCond %{REQUEST_URI} wp-signup\.php [NC,OR]
RewriteCond %{QUERY_STRING} wp-signup\.php [NC,OR]
RewriteCond %{THE_REQUEST} wp-signup\.php [NC,OR]
RewriteCond %{REQUEST_URI} wp-register\.php [NC,OR]
RewriteCond %{QUERY_STRING} wp-register\.php [NC,OR]
RewriteCond %{THE_REQUEST} wp-register\.php [NC]
RewriteRule .* - [F,NS,L]

https://www.inmotionhosting.com/support/website/wordpress/lock-down-wordpress-admin-login-with-htaccess
https://journalxtra.com/web-development/wordpress-security-hardening-htaccess-rules/

Thank you for taking time to offer an alternative @barnez.

I guess I continue to struggle with why my OQ does do the job.

Given the .htaccess method for preventing login attacks does not work in WordPress Multi-site, here is the solution I came up with for anyone wishing to truly button down their WPMS Network:

Step 1: create a script and upload it to ./wp-content/mu-plugins/. I called my script “loginBlocker.php“.

Step 2: here is the loginBlocker.php script:

<?php
/**
 * Plugin Name: WordPress Network Login Access & Control
 * Plugin URI: https://example.com/
 * Description: Login request intercept used on all sites in the network.
 * Version: 1.0
 * Author: F.Tredici
 * Author URI: https://example.com/ftredici/
 * License: GPLU
 */

function loginController_func() {

    $authorizedIPs = array(
        '123.456.789.012', // authorized user #1
        '987.654.321.098' // authorized user #2
    );

    if (!in_array($_SERVER['REMOTE_ADDR'], $authorizedIPs)) {
        wp_redirect( 'https://example.com/', 301 );
        exit;
    }

}
add_action('wp_authenticate', 'loginController_func'); // hook for wp-admin
add_action('login_init', 'loginController_func'); // hook for wp-login all actions
?>

Step 3: simply add the IP Address(es) for your authorized login sources to the $authorizedIPs array() and you’ll have better “peace” of mind.

Good luck and happy hacker-blocking.

Thanks for sharing that! I’m glad you found a way to mitigate this ??