After last attack on previous article, someone coming from ip and login succesfully, and change wp password. After that, my site lock me down, because my password is incorrect after trying 2 times. WTF!! Now, i try to protect site manualy using .htaccess, that backend can open only from ip that i mentioned. BUT It Denies from all.

To do that, make .htaccess file like this.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^$
RewriteCond %{REMOTE_ADDR} !^$
RewriteCond %{REMOTE_ADDR} !^$
RewriteRule ^(.*)$ - [R=403,L]
# END WordPress
<Files 403.shtml>
order allow,deny
allow from all

insert multiple whitelist ip addresses by changing this line

RewriteCond %{REMOTE_ADDR} !^$

change with your ip address –> <–
to find your in just type “what is my ip” on google. and google will show your ip address.

after that. upload that file to your root server.