We host a number of Wordpress websites, and we manage servers for other agencies hosting Wordpress websites too. Out of the box, Wordpress isn't exactly the most secure of frameworks, so we have a go-to set of plugins to help lock these websites down, as well as a number of server-side mechanics that secure both Wordpress and other websites from attack.
One of the best things that you can do to help secure a Wordpress website, or any website really, is restrict admin panel access to a specific country allowlist. Strong passwords and use of 2FA mechanisms can really help to keep individual logins safe, but most Wordpress attacks work by exploiting security holes which allow them to create entirely new administrator accounts, so securing the legitimate accounts is only half of the battle. If your legitimate administrators only ever log in from within a couple of countries, then there's absolutely no point in opening the login mechanics up to the remaining 240+ countries. Disable login for the majority of the world, and you'll make it much more difficult for malicious bots to find their entry point.
Our go-to toolkit of security plugins already included plugins for restricting the Wordpress admin panel to specific countries, but all of the available plugins for this which we've been using require manual management of an IP to country database. License restrictions prevent the plugin developers from shipping a copy of this database with the Wordpress plugin, and since IPs move around all of the time, these databases quickly become outdated and thus need replacing regularly. Furthermore, most of the available plugins are, in our view, too cumbersome. Adding all sorts of features and settings which most websites don't really need. We prefer plugins that add minimal footprint to a website, and do their job with minimal set-up or maintenance.
Since we already host an IP lookup API which returns, among other things, the country an IP belongs to, and since this API already updates its own databases often, it seemed a no-brainer to build our own Admin Country Allowlist plugin for Wordpress, using this API and local caching to quickly determine the country that an individual is from before presenting them with a login page. Results are remembered for 7 days, and the API was built to be super responsive anyway, so this approach doesn't add any noticeable delay to the login process or actual admin panel usage.
The plugin cleans up its own cache too, deleting files after 7 days to prevent excessive growth, and the plugin itself consists only a single 17kb script, making it potentially the most lightweight and efficient Wordpress admin country allowlist plugin available.
Simply install and activate our Admin Country Allowlist plugin, generate an access key for it via our API Console, and you're done! The plugin will automatically determine your own country and prevent access to both the admin panel and the Wordpress XMLRPC mechanism to anybody outside of your country, and you can easily add other countries to the list.
If there's any issue with API communication or your access key, the plugin will email you and allow access to the login page as normal. Otherwise, if the country can be determined and isn't a country in your allowlist, the plugin will respond with a HTTP 403 Forbidden response, and the login form won't be presented. For requests where the country can be determined, and is in your allowlist, the login page will show as normal.
Blog posts are written by individuals and do not necessarily depict the opinions or beliefs of QWeb Ltd or its current employees. Any information provided here might be biased or subjective, and might become out of date.
Nobody has commented yet.
Your email address is used to notify you of new comments to this thread, and also to pull your Gravatar image. Your name, email address, and message are stored as encrypted text. You won't be added to any mailing list, and your details won't be shared with any third party.