The goal: Completely remove the ability to access the WordPress backend on the production domain. Ex. return a 404 for http://example.com/wp-admin
Purpose: I don’t want any possibility of WordPress’ backend being accessed across the Internet. Instead, it will only be accessibly via VPN on an internal domain (i.e. http://example.internal/wp-admin. This ensures that no one could ever brute force attack the login page.
I could restrict logins to a given IP address, but I don’t want to keep up with a list of IPs. I’d prefer to use the security my VPN already offers.
wp-admin still has to be accessible in some fashion because there could be resources that the frontend calls.
Are there any solutions beyond redirecting
wp-login.php somewhere else?
If you know the sub-net of your VPN you could restrict access to /wp-admin via .htaccess using standard Apache rules.
<Directory /var/www/wp-admin/> Order deny,allow Allow from 192.168.1.0/24 Allow from 127 </Directory>
Obviously you’d need to adjust the directory and IP address subnet to suit your needs.
To restrict access to a specific file:
<Files _FILE_.php> Order allow,deny Deny from all Allow from 127.0.0.1 </Files>
Again you can use a sub-net mask to suit your VPN.