The goal: Completely remove the ability to access the WordPress backend on the production domain. Ex. return a 404 for http://example.com/wp-admin
Purpose: I don’t want any possibility of WordPress’ backend being accessed across the Internet. Instead, it will only be accessibly via VPN on an internal domain (i.e. http://example.internal/wp-admin. This ensures that no one could ever brute force attack the login page.
I could restrict logins to a given IP address, but I don’t want to keep up with a list of IPs. I’d prefer to use the security my VPN already offers.
Consider that wp-admin still has to be accessible in some fashion because there could be resources that the frontend calls.
Are there any solutions beyond redirecting wp-login.php somewhere else?
1
If you know the sub-net of your VPN you could restrict access to /wp-admin via .htaccess using standard Apache rules.
<Directory /var/www/wp-admin/>
Order deny,allow
Allow from 192.168.1.0/24
Allow from 127
</Directory>
Obviously you’d need to adjust the directory and IP address subnet to suit your needs.
To restrict access to a specific file:
<Files _FILE_.php>
Order allow,deny
Deny from all
Allow from 127.0.0.1
</Files>
Again you can use a sub-net mask to suit your VPN.
