7 ways to Protect WordPress site from Getting Hacked

You have already taken the first step to protect WordPress site from unauthorized access by reaching here. No matter if you are a beginner or an experienced blogger, you have to concentrate on the security part of your WordPress hosting. Otherwise think of a scenario where you are trying to login to your own website and the bloody website denies recognizing your login details O_o. Yes, this will definitely happen if you won’t act now.

Why do you need to protect your WordPress site from unauthorized access ?

You must understand the fact and secure before your site is targeted by attackers. To help you understand the situation I will tell you what exactly happened to me some days ago.

Once I tried to login to my WordPress website’s admin dashboard but that was locked down by my hosting company because the attackers tried to gain access to my website, huh! What the heck? Yes, sometimes attackers use DDoS or Brute Force Attack to target some websites to gain access. Here is how to save WordPress from Brute Force Attack.

Internet is one of the most amazing creation by human being where people share lots of knowledge, life experience, share a laughter and do millions of good things at the same time people do steal data or money from innocent online users by using various techniques. You, as a website owner should be aware of this and must protect yourself from this piece of shit or stay calm, do nothing and be happy saying you are innocent and you don’t know how to secure your site. I will definitely try to help you out to be ready to fight against the odds. Today I will tell you how you can protect WordPress Login from unauthorized access or from attackers using .htaccess file.

prevention is better than cure ( an ounce of prevention is worth a pound of cure).

I have split the whole guide into below sections to help you understand and browse easily:

  1. Setting up your website on CloudFlare Network.
  2. Single IP access using htaccess.
  3. Multiple IP access using htaccess.
  4. Use htaccess to allow login access from your domain only.
  5. Restrict wp-config.php file access.
  6. Protect the .htaccess file itself from unauthorized access.
  7. Restrict access to wp-content directory but allow only several files.

Setup your WordPress or a self hosted webiste on Cloudflare network:

Cloudflare has a large network which will absorb most of the attacks to your website. Cloudflare has techniques to filter spammers from DNS level and hence restricts entering to your website.
interesting thing is that you will get enterprise class protection and CDN services FREE of cost. I recommend every beginner to setup their website on CloudFlare. Follow the below guide to setup Cloudflare:

[button link=”http://www.infysim.org/why-and-how-to-setup-cloudflare-for-wordpress-for-free/” size=”default” icon=”Select a Icon” side=”left” target=”” color=”b70900″ textcolor=”ffffff”]How to setup Cloudflare for FREE[/button]

Lock down WordPress Login from specific IP addresses only:

You must be logging in to your WordPress site using some WordPress Desktop application or through your website link using a browser. From wherever you access to your site, you must have an internet connection and so an IP address. The trick here is to restrict WordPress logins from specific IP addresses only.

If you are using any DNS level filtering or you have setup your website on CloudFlare then this method won’t work. You need to setup an extra level of login using htpasswd technique.

1. How to assign WordPress login from a single IP Address in .htaccess file:

Put the below code into .htaccess file to allow access from a single IP address and replace 123\.123\.123\.123 with your own IP address:

# Make sure your browser supports re-write engine
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
2. How to allow WordPress login from multiple IP Addresses in .htaccess file:

Add the following code into .htaccess file to allow access from multiple IP addresses. Let’s say following are the IP addresses from which you want to grant login access:

So replace the following code in the .htaccess file:

# Make sure your browser supports re-write engine
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^234\.234\.234\.234$
RewriteCond %{REMOTE_ADDR} !^12\.12\.12\.12$
RewriteRule ^(.*)$ - [R=403,L]
3. How to Protect WordPress by allowing WordPress login access only from your domain:

Usually the attackers try the login attempts on yoursite.com/login.php using bots which means the origin is unknown. So, we can allow the login attempts coming from your site itself. The point here is to allow the logins those are coming from your domain itself.
Sometimes you may have multiple authors for your website and hence you will have to add many more IP addresses which may be a tiresome work. Well, in this case you may restrict the logins from certain referrers.

yoursite.com -> yoursite.com/login.php

See the above line where I am trying to explain that yoursite.com/login.php is accessed from yoursite.com. This is definitely not an attackers system because attackers directly jump to your yoursite.com/login.php file and try with Brute Force Attack. Most Brute Force Attacks rely on sending direct POST requests right to your wp-login.php script. So, here we are restricting the POST requests only to your domain which can help weed out bots used by attackers.

To allow login accesses from your site you have to add the following lines into your .htaccess file and replace the yoursite\.com with your actual domain name:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(.*)?yoursite\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
4. Protect WordPress wp-config.php script from unauthorized access:

The wp-config.php file in a WordPress site contains the most sensitive access credentials such as: Database Access details, Authentication keys etc. You can disable access to wp-config.php using this following code into .htaccess file:

# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
5. Protect the .htaccess file itself from unauthorized access:

There are several .htaccess files present in a WordPress installation. One is in the root directory of WordPress installation, another may be in your wp-content and wp-admin directory. The idea here is to restrict all files with file names starting from “.hta“. Add the following lines to the .htaccess file present in the root directory of your WordPress installation:

# Deny access to .htaccess file itself
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
6. Protect WordPress wp-content directory but allow only several files like css, html, jpg etc.:

The wp-content directory keeps any media files like: JPG, PNG images, plugin and theme files. So, it is equally vital to protect this directory from access but some files should be allowed to access. Here goes the code to restrict wp-content directory but allow JPG, PNG, GIF and any css or html files:

# Disable access to all file types except the following
order deny,allow
deny from all

# Only allow the following file types to be accessed
<files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$"> allow from all </files>

Definitely the list of securing your WordPress website does not end here and there may be many other htaccess file tricks. I am wrapping up this post here and will keep on adding when I will get to know the other ways to protect WordPress site using htaccess file. If you have any other ideas on your mind then feel free to fire a comment.

We will be happy to hear your thoughts

Leave a reply

Enable registration in settings - general