Posted for my re-use; so I can just cut/paste from this post after every WordPress update.
Due the the number of access requests for wp-login.php from ip-addresses that are clearly not authorised to use my wordpress installation I always insert at the top of the wp-login.php script the below lines to ensure even if someone does find wp-logon/php they cannot use it.
if ( ( $_SERVER['REMOTE_ADDR'] != "192.168.1.187" ) && ( $_SERVER['REMOTE_ADDR'] != "192.168.1.188" ) ) { echo 'wp-login can only be accessed from the internal network, you are on '.$_SERVER['REMOTE_ADDR'].'.'; echo '...a link to the main website page here...'; die(); }
This ensures that even if someone gets past my rewrite blacklist scripts they still cannot logon to wordpress unless; unless they are physically using one of my two desktops of course.
Posted for my reference as every time I update wordpress, and it installs a new wp-login.php script, I have to redo these changes… as I have just had to do again, sigh.