Last Reviewed and Updated on November 20, 2024
Introduction
WordPress is one of the most popular content management systems (CMS), which also makes it one of the most targeted platforms for cyberattacks. In shared hosting environments, where multiple websites reside on the same server, safeguarding the /wp-admin/ panel is crucial. This article outlines practical steps to secure the WordPress admin area from brute-force attacks and bot scanning through deny rules, Fail2Ban, and rate limiting.
Understanding the Threats to /wp-admin/
Brute-Force Attacks
Brute-force attacks occur when an attacker systematically attempts to guess login credentials (username and password) by trying different combinations. WordPress is a frequent target for such attacks, especially since it’s widely used.
Bot Scanning
Bots are automated scripts that scan websites for vulnerabilities, including outdated WordPress versions, vulnerable plugins, and other common attack points. These bots often target the /wp-admin/ area to attempt to gain unauthorized access to the backend of WordPress sites.
Securing /wp-admin/ with Deny Rules
Why Deny Rules Are Important
Deny rules are a powerful way to restrict access to the /wp-admin/ area by blocking certain IPs or ranges from accessing this sensitive part of your site. This method reduces the potential attack surface and limits the exposure of your WordPress admin panel to malicious entities.
How to Implement Deny Rules in Apache (for cPanel)
- Locate the
.htaccessfile in the root directory of your WordPress installation. - Add the following code to block specific IPs or ranges:
<Files wp-login.php> order deny,allow deny from 192.168.1.0/24 allow from all </Files>- This will block any IP in the range
192.168.1.0/24from accessing the WordPress login page. - You can also block specific IPs if needed.
- This will block any IP in the range
How to Implement Deny Rules in Nginx (for Plesk)
- Edit the Nginx configuration file:
/etc/nginx/conf.d/your-site.conf - Add the following configuration to restrict access to /wp-admin/:
location ~* /wp-admin/ { deny 192.168.1.0/24; allow all; }
Using Fail2Ban for Bot and Brute-Force Prevention
What is Fail2Ban and How It Helps
Fail2Ban is an intrusion prevention framework that helps secure your server by blocking IP addresses that exhibit malicious behavior, such as multiple failed login attempts. It works by scanning log files for suspicious activity and then blocking the attacking IP.
Configuring Fail2Ban for WordPress
- Install Fail2Ban if it’s not already installed:
sudo apt-get install fail2ban - Create a custom filter for WordPress:
- Edit or create the file
/etc/fail2ban/filter.d/wordpress.confwith the following contents:[Definition] failregex = ^<HOST> -.*"(GET|POST).*/wp-login.php.* ignoreregex =
- Edit or create the file
- Update the Fail2Ban jail configuration:
- Open
/etc/fail2ban/jail.localand add:[wordpress] enabled = true port = http,https filter = wordpress logpath = /var/log/apache2/*access.log maxretry = 5 bantime = 600 findtime = 600
- Open
- Restart Fail2Ban to apply the new settings:
sudo systemctl restart fail2ban
Testing Fail2Ban
To ensure that Fail2Ban is working as expected, attempt to log in with incorrect credentials multiple times and verify that your IP is blocked by checking the Fail2Ban logs:
sudo fail2ban-client status wordpressImplementing Rate Limiting for /wp-admin/
What is Rate Limiting and Why It’s Crucial
Rate limiting involves restricting the number of requests a user can make to a particular resource, such as the /wp-admin/ login page, within a specified time period. This helps prevent brute-force attacks by slowing down attackers and making it more difficult for them to guess credentials.
Rate Limiting in Apache (for cPanel)
- Edit the
.htaccessfile and add the following rules to rate-limit access to /wp-admin/:<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} ^/wp-admin RewriteCond %{REMOTE_ADDR} !^123.123.123.123 RewriteRule ^(.*)$ - [R=429,L] </IfModule>- Replace
123.123.123.123with your trusted IP address.
- Replace
Rate Limiting in Nginx (for Plesk)
- Add the following directives to your Nginx configuration file:
limit_req_zone $binary_remote_addr zone=wp_admin_limit:10m rate=1r/s; server { location /wp-admin/ { limit_req zone=wp_admin_limit burst=5 nodelay; } }
Additional Best Practices for /wp-admin/ Security
Two-Factor Authentication (2FA)
Enable two-factor authentication (2FA) to add an extra layer of security to the WordPress login process. Many plugins, such as Google Authenticator, offer easy integration for 2FA.
Changing the Default Login URL
Consider changing the default WordPress login URL (wp-login.php) to something custom. This helps hide the login page from automated bots that typically scan for /wp-login.php.
Regularly Updating WordPress and Plugins
Always keep your WordPress installation, themes, and plugins up to date. Enable automatic updates to ensure that your website is patched against the latest vulnerabilities.
Conclusion
Securing the WordPress admin panel is essential for maintaining a secure shared hosting environment. By using deny rules, Fail2Ban, and rate limiting, you can significantly reduce the likelihood of attacks. Remember to follow additional best practices, such as enabling 2FA and changing the login URL, to strengthen your site’s defenses further.