Securing WordPress login using https to specified IP Address

After having thousands of brute force attempt which some were using testcookies payload, I decided to add more security to this blog. Also using suggestion from my friend Kurnia Ramadhan, to force login and administration of this blog to https, but only allow the access to the https port / port 443 to specific IP address, I make some modification to the wp-config and the IPTABLES.

Now lets open the wp-config files, and add the following line before the comment tag “That’s all”

 

Whenever we want to login, we will be forced to redirect to the HTTPS page. Since HTTP and HTTPS were having diferent port, 80 and 443, it will reduce the bruteforce attempt. Because people usually only doing bruteforce to HTTP or port 80.

Now let’s make our rule in the IPTABLES to allow specific IP address to access the Port 443 / HTTPS, and block another IP address

 

Only specified IP address in the IPTABLES would open the HTTPS page.

And that’s the disadvantages if we only allow specific IP address from accessing our “Secure Page”. Problems will occur if someone tried to open our site in the HTTPS version, they will never can load the HTTPS version because their IP is not whitelisted.

 

We can try another method to secure our Wp-admin access to only specified IP Address, and shows 404 forbidden to another IP by modifying our Nginx configuration files like bellow :

 

2 Replies to “Securing WordPress login using https to specified IP Address”

    1. Akhirnya saya kembali ke solusi ke-2 mas 🙂
      Untuk pemakaian HTTPS sepertinya agak lambat, jadi sekarang saya rubah konfigurasi Nginx seperti semula, dan file wp-confignya saya balikin awal 😀

Leave a Reply

Your email address will not be published. Required fields are marked *