Credits: Video Training produced by Brian Teeman
There are several methods in Admin Tools to restrict access to the administrator interface of your website.
The first we have already seen in the Web Application Firewall video. If we look at the Configure WAF here we can see that I can restrict administrator access only to IP addresses in a whitelist or disallow access to IPs that are in a blacklist. As most people want to be able to access their website administrator wherever they are, perhaps when they are roaming from an internet cafe or their mobile phone, I don't recommend that you set the whitelist up.
You can also lockdown your administrator interface at certain hours of the day by setting an away schedule. For example, I can prevent access from 18:00 to 08:00. However, again, in case of emergency this might not be the best option.
Another option is to change the admin url. You can create a new admin url if you enter a word or phrase here without any spaces. If we now save changes, when someone tries to access the administrator with the original url, they will see that it is disabled. The only way you will be able to login to the administrator is by going to the new url.
Whilst this will prevent most types of brute force attacks, a far better option is to use the password protect WordPress administration feature that we saw in the installation video. With this method you can prevent access with an additional username and password.
Enter the username and password that you want to use. This should not be the same as your password for anything else, including your WordPress administrator login. And click on Password protect. A pop up box will immediately be displayed requesting authentication, and before you can proceed you must now enter the details that you just entered.
If someone now goes to your website and attempts to log in to the administrator URL they will get a popup box asking for that additional username and password.
The final protection that Admin Tools provides is called Emergency Off-line. If for any reason you need to make sure that your web site is completely offline and can't be used for anything we can select this option and it will add these rules to your .htaccess file in the site root.
What this will do is ensure that any requests to your website are redirected to a file called offline.html. If I activate this by clicking on the Set Offline button, the site is now in Emergency Off-line mode and anyone coming to the site will be redirected to that offline page. You can if you wish replace this file with your own design.
As long as your own internet connection and your IP address do not change, you will still be able to access the site even when it's in offline mode. When you're ready to turn the site back online simply select Emergency Off-line and click the green Set Online. Anyone visiting your site now will see the site as you intended them to see it.