Knowledgebase
Kunci WordPress admin login dengan .htaccess
Kamu dapat mengunci WordPress admin login dengan .htaccess rules untuk mencegah login yang tidak di inginkan.
If your WordPress access is blocked due to WordPress brute force attacks this will help.
Limit WordPress admin login attempts
Langkah berikut membantu kamu untuk membuat batasan login ke WordPress admin berdasarkan IP address, atau referrer.
- Log ke akun cPanel.
- Temukan Files category dan klik File Manager.
- Klik Settings di kanan atas.
- Select the Document Root for your domain and be sure the checkbox next to Show Hidden Files is checked. Click the Save button.
- Lihat file .htaccess dan klik kanan. Kemudian akan muncul menu edit.
- You might have a text editor encoding dialog box pop-up, you can simply click on Edit.
- There are a few ways to restrict access to your WordPress admin section using this .htaccess file.
These rules should be placed at the very top of your .htaccess file to function properly.
Restrict WordPress admin access via:
Secondary WordPress admin .htaccess password(Recommended if your IP changes)
A single IP address
Multiple IP addresses
Trusted referrers
Single IP address access
You can check your IP to get your computer's IP address.
If you are using CloudFlare or a DNS level filtering service, this method won't work, you'll want to setup a secondary WordPress .htaccess password for protection instead.
To allow access from a single IP address, replace 123\.123\.123\.123 with your own IP address:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>Multiple IP address access
You can check your IP to get your computer's IP address.
If you are using CloudFlare or a DNS level filtering service, this method won't work, you'll want to setup a secondary WordPress .htaccess password for protection instead.
To allow access from multiple IP addresses, replace 123\.123\.123\.xxx with your own IP addresses:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>Dynamic IP address access, limit by referer
If your IP address changes, you can protect your WordPress site by only allowing login requests coming directly from your domain name. Simply replace example\.com with your own domain name
Most brute force attacks rely on sending direct POST requests right to your wp-login.php script. So requiring a POST request to have your domain as the referrer can help weed out bots.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule> - Wait at least 15-20 minutes, and try to login to your WordPress site again. If you try to access the WordPress dashboard within the 15 minute window of a block, this could extend the block longer.
It's important to wait for the previous block to expire and be patient before attempting to access your WordPress site again.
You should now be blocking unauthorized WordPress admin login attempts utilizing .htaccess rules.
