Restrict Wp-login with cookies
Restrict Wordpress admin page with cookies
To stop any bruteforce attack on wordpress admin pages there are serveral ways (disable xml-rpc for GOD's sake!) then as there are still more aggressive guys out there use secret cookie to only allowed specific privilleged users. To do this please add below code to .htaccess
:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_COOKIE} !wp-token=1 [NC]
RewriteRule ^wp-login\.php - [L,R=403]
RewriteCond %{HTTP_COOKIE} !wp-token=1 [NC]
RewriteRule ^wp-admin - [L,R=403]
</IfModule>
In this way apache server will check user's browser for specific cookie wp-token=1
if not available the user will be redirected to 403 page.
To let the benign user get into the login page create a php page in that domain to add cookie in the browser. Example:
<?php
setcookie("wp-token", 1, time() + (86400 * 30), "/");
echo "<h2>Please continue..</h2>"
?>
You can change the expire time or add header function to redirect user to login page after.