Our security guy showed me how to harvest editor names Wordpress. This combined with the known location of the login page makes the site susceptible to script kiddies plying their wares. A simple way to combat this is to create a redirect page somewhere and then restricting access to wp-login.php to visits coming from that page. I borrowed this idea from here. To implement this, I created my redirect page and added the following to the .htaccess file for the site.
# protect wp-login.php
Files wp-login.php (wrap in angle brackets)
Order deny,allow
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://www.mywebplace.com/wp-content/uploads/anoddname.html$ [NC]
RewriteRule .* - [F]
/Files (wrap in angle brackets)
These lines are interpreted like this:
- for all files called wp-login.php
- default to deny
- If the HTTP_Referrer is not anoddname.html
- don't rewrite the page, but return Forbidden HTTP code
I then created 'anoddfilename.html' and added a meta-redirect like this:
META HTTP-EQUIV="refresh" CONTENT="0;URL=http://www.mywebplace.com/wp-login.php"
These changes worked as expected. The site was fine, but to login you have to visit the site by hitting anoddname.html first. There is one problem. You cannot logout form the site. That's because to logout you call wp-login.php again with ?action=logout appended to the url. Since you are on a page other then AnOddName.html at the time, you are forbidden from getting to the wp-login.php
To fix this, I added two more lines to the .htaccess file
RewriteCond %{QUERY_STRING} ^action=logout [NC]
RewriteRule .* - [L]
With these lines added, .htaccess now checks first to see if you are calling with "?action=logout" Query_String. If so, it does not rewrite and stops. The complete .htaccess section is now:
# protect wp-login.php
Files wp-login.php (wrap in angle brackets)
Order deny,allow
RewriteEngine on
RewriteCond %{QUERY_STRING} ^action=logout [NC]
RewriteRule .* - [L]w
RewriteCond %{HTTP_REFERER} !^http://www.mywebplace.com/wp-content/uploads/tbirdsarego.html$ [NC]
RewriteRule .* - [F]
/Files (wrap in angle brackets)
;){kind=link}
;){kind=link}