In the recent rash of wp-login.php brute force attacks, I needed a way to block access to wp-login.php on a single domain in a WordPress multi-site with many domains. The impact on customers of blocking all domains was too great so I needed a more targeted solution. Here’s what I came up with for the .htaccess file:
1 2 3 4 |
SetEnvIf Request_URI "somedomain\.com" blockdomain=1 <FilesMatch "wp-login.php$"> deny from env=blockdomain </FilesMatch> |