Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
I try to add a small code that secures wp-login.php by adding a parameter to the url e.g: mydomain.com/wp-login.php?myparam=1234
Please don’t modify that file. Pain, suffering and other forms of madness await you when you edit files that ship with WordPress; it’s really a bad idea.
*Drinks more coffee*
Have you considered one of the many security plugins instead?
https://ww.wp.xz.cn/plugins/search.php?q=security
That may accomplish the same thing without modifying core WordPress files.
I already had that modification code to wp-login.php , and it worked perfect, I forgot to save it when I updated wp version.
most security plugins i’ve seen won’t block the login page in such a simple way.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Why not put that section in your .htaccess file in the root directory of your WordPress installation?
Try this (untested) at the top of that .htaccess file.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^wp-login\.php$
RewriteCond %{QUERY_STRING} !^myparam=1234$
RewriteRule ^wp-login\.php - [F]
</IfModule>
If a request comes for wp-login.php and that query string is not there then the server will return a 403. You may need to change wp-login\.php to /wp-login\.php, I’ve not tested this myself.
even better, unfortunately doesn’t work with this syntax.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
I probably got it a little off, I didn’t test it. I’ll take a poke at it tonight and see if I can get the syntax correct.
If it does work then that would be good as that will survive WordPress updates.
This what I got working.
# BEGIN only allow access to login if query is correct
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^.*?wp-login\.php.*$
# Specicial secret query key
RewriteCond %{QUERY_STRING} !^.*?myparam=1234.*$
# Needed to complete the login process
RewriteCond %{HTTP_REFERER} !^https?:\/\/([a-z]|\.){8,14}\/wp\/wp-login\.php\?.*?myparam=1234.*$
# Allow admin area login pop
RewriteCond %{HTTP_REFERER} !^https?:\/\/([a-z]|\.){8,14}\/wp\/wp-login\.php\?interim-login=1$
RewriteCond %{HTTP_REFERER} !^https?:\/\/([a-z]|\.){8,14}\/wp\/wp-admin.*$
# Needed for easy reset password process
RewriteCond %{QUERY_STRING} !^action=lostpassword$
RewriteCond %{QUERY_STRING} !^checkemail=confirm$
RewriteCond %{QUERY_STRING} !^action=rp&key=.*?&login=.*?$
RewriteCond %{QUERY_STRING} !^action=rp$
# Needed to be able to logout
RewriteCond %{QUERY_STRING} !^action=logout&_wpnonce=([a-z]|\d){10}$
# Return "Access Forbidden"
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
# END only allow access to login if query is correct
Yep thats a keeper!!
Thanks Ulrich
