I spent much of the morning tracking these items down, so I thought I would share them here
Let’s start with blocking access to the any idjit that wants to try and edit the .htaccess file
<Files .htaccess>
Order Deny, Allow
## Really? You didn't think I would do this?
Deny from all
</Files>
Next, let’s shut down the xmlrpc.php file. Mostly unused these days, but can serve as an entry point for more idjits.
[NOTE: If you use JetPack, you may have to open this up to the Auttomatic IPs that make the automated backup requests.]
<Files xmlrpc.php>
Order Deny,Allow
## No soup for you!
Deny from all
</Files>
Finally, let’s IP block the access to the wp-admin area. One addition to this is my public IP address. The reason I added this here is that if you access your WP instance by its hostname rather than its IP, your requests will actually go in and out of your router. They will appear with the public IP address even if they originate from within the private IP range.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
## Your local private IP range
RewriteCond %{REMOTE_ADDR} !^192\.168\.1.
## Your external IP
RewriteCond %{REMOTE_ADDR} !^[IP ADDRESS REGEX HERE]$
## What to do with the rest of the bozos
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
And with these, most of the annoying log entries probing your WP install should leave your site frustrated.