I've been running my web server and WordPress site nearly a couple of years now. My goto plugins for protection are:
Antispam Bee - Which allows me to leave blogs open for comments, in case someone would ever want to ask something or start a discussion. However, I've found I only seem to get SPAM bots. Having to check all the messages is a pain, so I've also changed the WordPress settings to automatically close comments on articles older than 10 days.
Shield - If the term "hackers" means anything to you, then this is "the security plugin" you need to have. Just look at the number of attempts to access my site.
Recently the login attempts seemed to have been spiralling upwards. With this many automated attempts, you can't feel safe, and I've been thinking for a while, it's only a matter of time until they find a zero-day vulnerability.
So, this week I decided to block my wp-admin folder where the admin area of WordPress is, this is using the Apache web servers basic authentication with the .htaccess file. What I didn't realise, is that there are some functions there which are needed by other parts of my site such as the booking system. Thankfully, someone was kind enough to inform me about the problem 😉
When I googled this, I found plenty of sites with blogs titled "Don’t Use a Password Protection on wp-admin Folder", but it is possible.
AuthType Basic AuthName "Restricted Content" AuthUserFile /var/www/clouded.ch/html/.htpasswd Require valid-user <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> <Files admin-post.php> Order allow,deny Allow from all Satisfy any </Files> <Files "\.(css|gif|png|js)$"> Order allow,deny Allow from all Satisfy any </Files>
For the above .htaccess code, you only need to update the location of the AuthUserFile. I would use the official Apache documentation to create your htpasswd file. However, it is as simple as running the command.
htpasswd -c /var/www/clouded.ch/html/.htpasswd neil