How we locked down our WordPress web sites, but in one move drastically improved server performance.
Keeping in mind that the most common attack against WordPress is brute force passwords, then why not stop it in it’s tracks by blocking access to wp-admin.
By blocking all access to WordPress Admin except to known IP Addresses, it stops the attacks before they start, but also improves server performance because the server is not having to process millions of attacks.
Great For
- Small business web sites
- Less than 10 admin users
- Most web sites
Not For
- Forums
- Intranets
- Any site that has multiple admin users
How They Attack
The most common attack against the WordPress user is brute forcing the password of an account to gain access to the back-end of the WordPress system.
Other ways a password can be compromised include sniffing the password in clear text over a HTTP login session or even getting the credentials from a key logger on the workstation of the WordPress administrator.
Accounts with administrator level access are the most sought after due to the amount of mischief an admin user can get up to; adding PHP command shells or malicious javascript directly through admin interface are common examples.