Wordpress

Protecting wordpress’s login using cookie with Lighttpd

Even installing a plugin like Login Lock you still get many robots trying to access your wordpress website.

Another good rule is to avoid using the default admin account when installing wordpress but the robots will still try to access your website slowing it down.

Some smarter robot will try to detect your username using the author archive or other information from your parsing your website.

The definitive solution to prevent this kind of traffic is to protect wp-login.php with an .htaccess file blocking all the IPs except yours.

But, what if you are an on a dynamic IPaddress at home or travelling and connecting from different locations?

Well, with this solution you’ll use a secret cookie to allow you to access wp-login.php and blocking all rest.

First of all add this to your lighttpd virtualhost configuration:

$HTTP["url"] =~ "^/wp-login.php" {
	$HTTP["cookie"] !~ "i-want-cookie" {
		url.access-deny = ( "" )
	}
}
$HTTP["url"] =~ "^/wp-admin/" {
	$HTTP["cookie"] !~ "i-want-cookie" {
		url.access-deny = ( "" )
	}
}

Then prepare a secret php page, like give-me-cookie.php, that will set this cookie with following PHP code :

setcookie( 'i-want-cookie', 1, time()+(86400*7) );
header('Location: /wp-login.php', true, 302);
exit;

Now, when you access give-me-cookie.php it will set the selected cookies in your browser and you will be allowed to login into your website site; all others browsers without this cookie will get an “HTTP 403 Forbidden” message.

This has been proven very usefull against 99% of the automatic bots.

Apache’s Config

The same procedure can be applied to Apache, if you’re still using it: just prepend this to your main .htaccess file.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_COOKIE} !i-want-cookie=1 [NC]
RewriteRule ^wp-login\.php - [L,R=403]
RewriteCond %{HTTP_COOKIE} !i-want-cookie=1 [NC]
RewriteRule ^wp-admin - [L,R=403]
</IfModule>

XML RPC

If you don’t use XML RPC you should block it aswell, maybe using a plugin to turn it off completly.
At the moment i’ve not tested yet the wordpress mobile app with the above cookie method.