OK this is rather simple, but very effective. You can use the Apache webserver htaccess control feature to limit access to the WordPress admin panel subdirectory and the wp-login.php file.
Lets sort out the /wp-admin control panel area first.
1. First ssh to your host, in this example I am use debian based (Ubuntu).
2. Change directory to /var/www/html/wp-admin
3. ls -la to list hidden files. Then nano .htaccess
4. The text file editor nano will load. Configure the .htaccess file like so:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all # whitelist Home address allow from x.x.x.x # whitelist Work address allow from x.x.x.x </LIMIT>
5. Replace x.x.x.x with your source IP addresses. The limitation here is you need a static address from where you’ll administer your WordPress site. However, i think this is a small adjustment to make considering the bot networks and automated attacks going on! I have set it for two trusted locations (home and work).
To do the same for the wp-login.php file:
1. cd to /var/www/html/
2. nano .htaccess and the edit or create the file – add the following to it:
# Limit Logon to Source IP for wp-login.php <Files wp-login.php> order deny,allow Deny from all # Whitelist From Home allow from x.x.x.x #Whitelist From Work allow from x.x.x.x </Files>
3. Replace x.x.x.x with your source IP addresses like you did for the /wp-admin directory, this one is based on a file list and specifically configured for wp-login.php
I hope this helps other WordPress enthusiasts keep the bad guys out!