This should be fixed with the 2.0.7 Wordpress upgrade, however, let’s add a little extra security with a htaccess file. This will limit access to this folder by IP address. Any attempts at accessing any file within this folder will be greeted with a Forbidden error message.

I placed this file in the /wp-admin folder:

Create file .htaccess with contents:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Please enter your password to Access Control”
AuthType Basic
<limit get>
order deny,allow
deny from all
allow from 64.121.152.25
allow from 64.121.152.254
</limit>

Update: Note that this is was temporary fix until the next version of Wordpress came out. If you do limit access to your wp-admin folder by IP address you may have to update it if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.

You may also want to check out Michael’s Login Lockdown plugin which will prevent attackers trying to brute force their way in. Failed login attempts are recorded and after a set amount of failed logins, it blocks an IP range for 1 hour by default.