I’m currently have problems with hardening the security on a Wordpress installation.
Usually I protect the folder wp-admin and the file wp-login.php with a HTTPauth protection via .htaccess.
I’m using a long and complicated password (20 characters minimum)
Some nice documentation about how to protect Wordpress this way can be find here: http://endlessgeek.com/2014/02/wordpress-password-protect-wp-admin-directory/
So, before I can login into Wordpress, I need to enter an additional username/password.
At all this works very good, I tested to get into the Wordpress Login page, and need to enter the Password I put into .htaccess.
Now the problem:
For testing, I usually use the “Limit Login” Plugin in Wordpress. The plugin logs every login, that tries to login via the login page (wp-login.php).
At all it shouldn’t record any log, because we have this additional password protection via .htaccess.
But from time to time it logs that there are some login attempts from different IPs.
I’m not sure how this can happen, since access into the admin and login area in Wordpress is protected via .htaccess.
So, my question is, how can that happen? Anyone a guess?
I know absolutely zero about WordPress or it’s plugins, so take this for what it’s worth…
First, and probably most obvious, are the .htaccess files themselves protected?
Secondly, your description is a little confusing…are you saying that you need to enter a username and password before you even see the admin login page?
If so, perhaps consider just blocking all unauthorized IP addresses from accessing the directory, rather than having them login to it.
By forcing them to login first, you are essentially telling the world “Hey, you found the administration center”,
in which case they can just view the source from a default WP install, create a their form on their remote server, and bypass the pre-login authorization.
Or at the very least, have the admin login page first verify that the “pre-login” was completed successfully, before it shows or processes the real admin login page.
Yes, the htaccess files are protected with:
<FilesMatch “(\.htaccess|\.htpasswd)”>
Order deny,allow
Deny from all
</FilesMatch>
About your second question, let me go into detail:
Wordpress has two possibilities to get into the WP (Wordpress) admin:
First the file wp-login.php located in the root.
Second the folder /wp-admin/
Regardless which of this is entered into the browser you get into the WP-admin where you enter user/pass.
Since a lot of bots crawling WP installations worldwide and try to bruteforce the WP-admin it is recommended (Wordpress community) to protect the wp login and the wp-admin with a htaccess password. That is, because if there is another bruteforce attack, the blocking is on the server side, not at the wp login level.
Use Chap Secure Login plugin with more functions are assigned to the random hash code string password, then proceed to confirm the legitimacy of the account with the CHAP protocol.
Plugin installation is complete you to add plugins, type in the search: Chap Secure Login.
you can use as follows:
htaccess file open, you paste the code below:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName “WordPress Admin Access Control” AuthType Basic <LIMIT GET> order deny,allow deny from all # whitelist Syed’s IP address allow from xx.xx.xx.xxx # whitelist David’s IP address allow from xx.xx.xx.xxx # whitelist Amanda’s IP address allow from xx.xx.xx.xxx # whitelist Muhammad’s IP address allow from xx.xx.xx.xxx # whitelist Work IP address allow from xx.xx.xx.xxx
[COLOR=#1E1E1E][FONT=Consolas]</LIMIT>
The IP address you substitute yourself in the position of xx.xx.xx.xxx. This means that only the new IP address you have access to the files in the wp-admin folder. Therefore, safety is almost absolute.
That’s done, now you can rest assured I got you!
[/FONT][/COLOR]