This post is also available in: 日本語 (Japanese)
Brute Force Attacks « WordPress Codex
It does not introduce in this article, but it is also such as settings to allow access only specified IP address.
Article becomes longer when I write the details of the IP address, I write only those that can be operated easily for the time being.
For more content, please refer to the above [Brute Force Attacks « WordPress Codex].
In addition, in a separate article How to secure WordPress(wp-login/admin.php) with Basic Authentication, a method of applying a simple lock in the Basic authentication to admin.php and wp-login.php also wrote. Please study the above.
If a problem occurs (such as can not upload image) with [.htaccess] appended to the code below, please delete the code.
But, the following code because it is content to protect the security of the minimum required, it is recommended to think in the direction of solving the problem.
Limit the access to wp-config.php
wp-config.php file is the basic configuration of wordpress.
# protect wp-config.php <Files wp-config.php> order allow,deny deny from all </Files>
Limit the access to .htaccess
Role of the .htaccess file because there are many, the damage is greater when it is cracking.
#protect .htaccess <Files ~ "^\.ht"> Order allow,deny Deny from all </Files>
Limit the access to xmlrpc.php
There is likely to be the springboard of a DoS attack using the pinback.
In the case of the update of wordpress only from the management screen of the PC, security will increase more if you add the code below.
Because it is the code to block access to xmlrpc.php, you will not be able to update from the smartphone and external blog editor using xmlrpc.php. Please note
If you need to use the xmlrpc.php absolutely, there is a method that allow access only specified IP address.
# protect xmlrpc.php <Files xmlrpc.php> Order Deny,Allow Deny from all </Files>