Block External Access to "wp-admin"

chrisathome

I am looking for a way to block any external access to my wordpress admin/login page.
Can anyone make a recommendation on a rule to package that will get this done?

Thank you!

Gertjan

You can block them.
But easily not with pfSense as a firewall.

There are several wordpress "fail2ban" plugins that dumps failed authentication to the world's most classic log file : /var/log/auth.log

Feb  3 17:20:59 ns311465 wp(my-domain-using-wp.tld)[28863]: Authentication failure for admin from 137.74.169.241
Feb  3 17:20:59 ns311465 wp(my-domain-using-wp.tld)[28863]: XML-RPC authentication failure from 137.74.169.241

You also need the fail2ban package for the OS used, on your web server.
fail2ban will analyse your auth.log, your web server logs, your mail server logs your ftp server logs, your ......... and test (regex) these logs for lines that should ticker the blocking of the offender.
Like out "137.74.169.241" above.
fail2ban is capable generating iptables rules if a rule triggered.

fail2ban would work fine on pfSEnse, as it can handle "pf", the pfSense firewall ...... but : the pf firewall is handled by the GUI only, and fail2ban can't handle the GUI .

Btw : on a typical mail web whatever server - the one I have, there isn't even a firewall. Because : you don't need one. Still, a initial empty "pass all, for INPUT, OUPUT and FORWARD firewall" exists (my default iptables mentioned above) and it's filled with a block -hostrule if some one tries and fails several times - like the very popular access to mine and your- site.fr /wp-admin

This is the result. At any time I have a couple of thousands of IP banned, for a couple of days or so.
Since the end of last year, IPv6 also showq up now.

SteveITS

Snort/Suricata may block repeated login failures. I'm pretty sure that's available in the "web server" rules. We also have fail2ban on the servers we host.

I would not be surprised if there was a WordPress plugin to limit access by IP address. Another consideration might be MFA, for instance https://duo.com/docs/wordpress is free for under 10 users.

But overall a firewall blocks traffic by IP or port, not URL. Possibly a reverse proxy like HAProxy?

jimp

You would have to run things through a proxy like HAProxy to inspect the URLs first, or (better) block them in your web server configuration. It's most likely possible in your web server to deny access to the URLs by source address.

Less overhead than haproxy, less to go wrong, and more likely to work.

SteveITS

@teamits said in Block External Access to "wp-admin":

if there was a WordPress plugin to limit access by IP address

Ran across this today (haven't tried): https://wordpress.org/plugins/secure-admin-ip/