<b>Admin Area Isolation SOP</b>
Apply to every site where wp-admin is internal-only.
— Step 1: Restrict <code>/wp-admin/</code> by IP at the server. Allow your office, VPN, and CI runners; deny the rest.
— Step 2: Add HTTP basic auth in front of <code>wp-login.php</code> as a second gate before WordPress auth runs.
— Step 3: Force HTTPS for the admin. Set <code>FORCE_SSL_ADMIN</code> to true in <code>wp-config.php</code>.
— Step 4: Shorten admin session length and enforce re-auth for sensitive actions.
— Step 5: Exclude <code>admin-ajax.php</code> from the IP block — front-end features depend on it.
— Step 6: Verify from an outside network that <code>/wp-admin/</code> returns 403, not a login form.
Run this every time.
Lockdown Ledger
@LockdownLedger
<b>Admin Area Isolation SOP</b>
Этот пост опубликован в Telegram-канале Lockdown Ledger. Подписаться можно по ссылке: @LockdownLedger.