Best way to block bots/humans from trying to hack into your WordPress running on IIS10
I am using a network monitoring tool called WordFence on WordPress, highly recommended – even the free version! While using it I noticed I was getting a lot of hits from Africa, France, Russia…etc. To the most unlikely pages/folders: wp-admin, wp-login, and xmlrpc.php. So strange, but whoever it was knew what they were trying to do. So here are steps to prevent unlawful access via bots or humans to those sections on IIS10.
First – Access your IIS Manager
Once you have it up and running go to your folder for WordPress and drill down to the content you need to block.
- Click your site if you are wanting to add extra security (could be applied to the parent directory)
- Right-click site name > Select switch to Content View > Select the wp-admin folder (should take you into the view below)
- Double click IP Address and Domain Restrictions
Once this is open, Select “Edit Feature Setting” and in the pop up select Deny, under Access for unspecified clients.
Once you select ok, you will need to add your own IP address as an approved address. So now click Add Allow Entry.
You will need to find your real-world IP, so go to: https://www.google.com/search?q=whatsmyip and copy the IP address provided to add to the Allow Entry section.
Enter your IP into the specific IP address field
Now you should be all set! No more bad bots or humans trying to access your files who are not within your network. Obviously, if you need to include others to edit or work on the WordPress site you could add them manually or setup a VPN so they would be within the network.
Now go test it out..pull out your phone and unhook it from the WiFi to see if you can access the folder.
www.yoursite.com/wp-admin –should show an error message 🙂
And then reconnect to your wifi to access the wp-admin sections.
*One thing to note, if you have a dynamic IP, you will need to update this whenever your Internet Service Provider swaps out your IP address.
This can be applied to the individual files too, wp-login.php and xmlrpc.php.