Hat tip to @norcross for this login page security code. I can’t claim any credit for this, but it deserves to be shared. I’ve recommended using a login monitoring plugin before. On WP Engine, Limit Login Attempts is a mandatory plugin. I’ve had a client having problems recently where someone on their IP address is attempting and failing to log in. This is creating a lockout for her valid attempts.
The natural solution is to block the login screen. Unfortunately, in this case, blocking the IP address in the .htaccess file won’t help any because that is my client’s IP address. Like usual, I posed the situation to my Twitter crowd and got an elegant solution in minutes from @norcross – seriously, if you’re not following Andrew Norcross, you are missing out.
Place the following code in your theme’s (or child theme’s) functions.php file and find/replace each “question” and each “answer” with your own words. It’s safe to assume that this will block 99.999999999% of attempts to access your login page since bots don’t look for such addresses and it adds an additional wall to break through. If you’ve got excellent hosting with proper permissions and firewalls, this locks your dashboard down – hard. To read more about the various types of hosting, check out my page on hosting.
/*
* Check the URL of the WordPress login
* page for a specific query string
*
* assumes login string is
* http://www.your-site.com/wp-login.php?question=answer
*/
add_action( 'login_init', 'login_stringcheck' );
function login_stringcheck() {
// set the location a failed attempt goes to
$redirect = 'http://www.google.com/';
// missing query string all together
if (!isset ($_GET['question']) )
wp_redirect( esc_url_raw ($redirect), 302 );
// incorrect value for query string
if ($_GET['question'] !== 'answer' )
wp_redirect( esc_url_raw ($redirect), 302 );
}