Prevent access to your WordPress backend

How to prevent access to your WordPress backend to not authorized people.

You will find tonnes of tutorials about how to make your website safer Here I want just to tell you how I do on my sites to decide who can have access to the back-end.

If you were able to read my wp-config.php file, you would see the following snippet before the comment /* That’s all, stop editing! Happy blogging. */

 

$uriArr = explode( '?',$_SERVER['REQUEST_URI'] );
$uri = $uriArr[0];
if( ( strpos( $uri,'/wp-login.php' ) > 0 || strpos( $uri,'/wp-admin' ) > 0 ) &&  false === strpos( $uri,'/admin-ajax.php' ) ){
	$headers = getallheaders();
	if( !isset( $headers['jose'] ) && !isset( $headers['Jose'] ) ){
		echo 'Sorry, You are not authorized to log-in';
		exit;
	}
	$access_key = isset( $headers['jose'] ) ? $headers['jose'] : $headers['Jose'];
	if(  !in_array( $access_key,array( 
			'lkjertlkgdfjglekrtjertlkjfdglkjgdlkj' 
		) ) 
	){
		echo "Your access key is wrong, sorry you can't log-in";
		exit;
	}
}

 

If the code above detects the presence of wp-login.php or wp-admin in the URL and it’s not an ajax request it checks the request headers sent by the browser. If the header “jose” is not found the user will see the message ” Sorry, You are not authorized to log in” on a blank screen.

If the header “jose” is sent by the browser, the code checks if it’s included in an array of keys, if so the user will be able to see the usual WordPress log-in page, in another case, they will read “Your access key is wrong, sorry you can’t log-in” on a blank screen.

So after adding the snippet above in your wp-config.php you just need a browser extension to let you modify the request headers. In my case, I use the Chrome extension “ModHeader“. You need just to use the extension to add a custom request header when you want to visit your back-end.

Give to your custom header a name and a value, then replace in your wp-config.php “jose” with your favorite name and the password with yours.

 

In the array of keys you see in the snippet, you can add as many keys you want and distribute them to your collaborators.

When you want to deny access to one of the allowed users, just remove the related key from the array.

 

On some websites, I also add the following lines of code after the password authentication:

 

date_default_timezone_set('Europe/Amsterdam');
$time = time();
$am_pm = date( 'a',$time );
$h = intval( date( 'h',$time ) );
if( 'am' === strtolower( $am_pm ) && $h < 6 ){
    echo 'You should sleep at this time! If you really work you should know what to do!';
    exit;
}

 

The code above checks the local time and if it’s earlier than 6 o’clock in the morning you can’t log in without modifying the wp-config.php.

I like it because usually if you are awake and someone attacks your website you are able to take actions if you are sleeping when you wake up you could find a not-nice surprise.

The final code in this case would be

$uriArr = explode( '?',$_SERVER['REQUEST_URI'] );
$uri = $uriArr[0];
if( ( strpos( $uri,'/wp-login.php' ) > 0 || strpos( $uri,'/wp-admin' ) > 0 ) &&  false === strpos( $uri,'/admin-ajax.php' ) ){
	$headers = getallheaders();
	if( !isset( $headers['jose'] ) && !isset( $headers['Jose'] ) ){
		echo 'Sorry, You are not authorized to log-in';
		exit;
	}
	$access_key = isset( $headers['jose'] ) ? $headers['jose'] : $headers['Jose'];
	if(  !in_array( $access_key,array( 
			'lkjertlkgdfjglekrtjertlkjfdglkjgdlkj' 
		) ) 
	){
		echo "Your access key is wrong, sorry you can't log-in";
		exit;
	}
        date_default_timezone_set('Europe/Amsterdam');
        $time = time();
        $am_pm = date( 'a',$time );
        $h = intval( date( 'h',$time ) );
        if( 'am' === strtolower( $am_pm ) && $h < 6 ){
            echo 'You should sleep at this time! If you really want to work you should know what to do!';
            exit;
        }
}

Be carefull, other people could use the same function getallheaders() on their server.

This means that if you have the extension active and you send the header including your password, that password can be fetched from everyone who uses the function getallheaders() on their server.

So avoid to use a password you have for other log-ins, and most of all, activate the extension olny when you want to log into your WordPress back-end.