Recently, attacks on WordPress with the goal of stealing passwords have become very frequent. Attackers are requesting access to the file wp-login.php, respectively, the simplest method of protection would be to deny them all access to this file.<\/p>\n\n
There are several ways to do this:<\/p>\n\n
1) Close the file .htaccess for all IP addresses<\/strong><\/p>\n\n In the file .htaccess you need to write<\/p>\n\n <\/p>\n\n What it means:<\/p>\n\n <Files wp-login.php> – Rule for file wp-login.php order deny,allow – Defines the logic of work. You need to replace the address 1.2.3.4 with your IP address, which can be found here: https:\/\/tuthost.ua\/ip\/<\/a> or https:\/\/2ip.ua<\/a> 2) The second way is to rename the file wp-login.php<\/strong><\/p>\n\n 1.<\/strong> Rename the original wp-login.php to any other name, even to “4xqtbgkqs60.php”.<\/p>\n\n 2.<\/strong> Then replace all the words wp-login.php<\/em> with the new name, in our case 4xqtbgkqs60.php<\/em>, in the file 4xqtbgkqs60.php (old wp-login.php) and <\/em>in the file wp-includes\/general-template.php<\/em>.<\/p>\n\n 3.<\/strong> The final step is to completely restrict access to the file wp-login.php in .htaccess:<\/p>\n\n Lock access to a non-existent file wp-login.php is necessary because intruders will still be asking for it, and the engine will issue a 404 page (the file does not exist), which also creates a large load on the site.<\/p>\n\n Note, <\/strong>if you create a deny from all<\/strong> construct, make sure you have a 403.shtml<\/strong> file in the root of your site, if not, then create one. Otherwise, requests for error 403 will intercept wordpress and in this case the load on the site will not decrease.<\/p>\n<Files wp-login.php>\norder deny,allow\ndeny from all\nallow from 1.2.3.4\n<\/Files><\/code><\/pre>\n\n<Files wp-login.php>\nOrder Deny,Allow\nDeny from all\n<\/Files><\/code><\/pre>\n\n