About seven months ago, I made an Apache extra conf file “access-denied.conf” like this. Today, I’ve modified it to control accesses to the directory “wp-admin”.
I opened the access-denied.conf and changed the text like this.
Old:
<Files “wp-login.php”>
Require ip xxx.xxx.xxx.xxx/xx <<--- my local IP addresses
Require host My wifi domain name
</Files>
New:
<Files "wp-login.php">
Require ip xxx.xxx.xxx.xxx/xx <<--- my local IP addresses
Require host My wifi domain name
</Files>
<Directory "drive_DC:/WEB/htdocs/wp-admin"> <<--- drive_DC:/WEB/htdocs/ is my DocumentRoot.
Require ip xxx.xxx.xxx.xxx/xx <<--- my local IP addresses
Require host My wifi domain name
<Files "wp-admin-ajax.php">
Require all granted
</Files>
</Directory>
I excluded the file "admin-ajax.php" from this deny rule, because the plugins which use the Ajax features need it (Ref:「Re: WordPress使いならこれだけはやっておきたい本当のセキュリティ対策10項目」). Actually, I examined plugins on my WordPress, and found some of them used the hook wp_ajax_(action). So, I needed to exclude the file from the rule.
The rule works well. (^^)