How to prevent users to access wp admin and wp-login.php?

3
votes

I want restrict all users to access WordPress website login.

For example: Suppose I have WordPress website domain example1.com and I want to restrict all users to access admin login with example1.com/wp-admin and example1.com/wp-login.php.

When any user hits these url it redirect to restrict_user page and also I want to access wordpress login page with example1.com/user_login instead of hit example1.com/wp-admin and example1.com/wp-login.php urls.

And please suggest me how can i make my WordPress website more secure from hacking?

3
wordpressapachenginx
Did that solve your problem? If the problem resolved, please consider accepting and upvoting my answer. - Pmpr

3 Answers

1
votes

You can lock down the wp-admin page with htaccess deny all and hen setting an allowed ip.

order deny,allow
deny from all
allow from 127.0.0.1

You can also set a htpasswd file with allowed logins and password protect the page. I would also make sure your username in wp-admin is not something easy like 'admin' or 'editor'.

<IfModule mod_auth.c>
 AuthUserFile /home/path/.htpasswd
 AuthName "Username and password required"
 AuthType Basic
 <Limit GET POST>
  Require valid-user
 </Limit>
</IfModule>

Furthermore i would highly recommend wordfence as a good plugin for protection from hacks etc.

1
votes

Restricting access to wp-admin directory

Apache 2.4+

Add this snippet to your .htaccess file, created in wp-admin directory:

<RequireAny>
    Require ip 64.176.174.0/255.255.255.0
    Require ip 64.176.176.0/255.255.255.0
</RequireAny>

and add as many IP Address/Subnet Mask pairs, as you wish, regarding the client IP address you would like to have access to admin area. I have added two samples above.

Apache 2.4-

Add this snippet to your .htaccess file, created in wp-admin directory:

<Directory>
    Order Deny,Allow
    Deny from all
    Allow from 64.176.174.0/255.255.255.0
</Directory>

Restricting access to wp-login.php path

Add this snippet to you current theme's functions.php file:

function my_checkRole(){
    if( !( current_user_can( 'administrator' ) ) && !( defined('DOING_AJAX') && DOING_AJAX ) ){
        wp_redirect( site_url( 'restrict_user' ) );
        exit;
    }
}

add_action( 'admin_init', 'my_checkRole' );

Changing the wp-admin path

It is possible to change it, but why do you think that has any value at all? You cannot hide anything from a Bot - that is just not possible to do.

Hackers use automated Bot programs to find whatever they want to find.

A good approach is Action Approach:

hacker X does bad action Y and the result is Z = Forbidden.

So just use the presented method in Restricting access to wp-login.php path section and that will be OK.

0
votes

From nginx, using php7.0-fpm on Ubuntu 16.04LTS.

My base configuration I modified from: https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-in-ubuntu-16-04

I found a bunch of configs online that tried to combine wp-login.php and wp-admin into the same rule, but allowed wp-login.php to be raw downloadable! Granted, its a generic Wordpress file, but that is dangerous behaviour.

I've separated the rules, since wp-admin is a folder, anything accessed within will follow generic rules for images/php/etc. For wp-login.php I wanted to specifically replicate php execution. I've allows full internal network access to 10.x.x.x.

  location ~ wp-login\.php {
    allow 10.0.0.0/8
    deny all;
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
  }
  location /wp-admin/ {
    allow 10.0.0.0/8
    deny all;
    index index.php index.html index.htm;
    try_files $uri $uri/ /index.php?$args;
  }