Support
Web Development

How can I protect the wp-login.php file of my WordPress site from brute force attacks?

You can lock the login form of your Wordpress from inside the .htaccess file to prevent unauthorized login attempts from users and applications (Brute Force Attacks).

Why is this important?

Protecting the login form in Wordpress is important for two reasons:

  1. The obvious reason is that after many tests someone can finally find your password you use to login to Wordpress and this way login to your site with your own credencials.
  2. The second reason which is perhaps not so obvious to the end user, is the stress on the server. There is a serious possibility of a malicious script or bot to perform many password tests on your website in a short time.

    The monitoring software running in our servers will isolate this malicious user to prevent the server to become stressed. But in any case if there is care from the application even this low charge on the server may have been avoided by monitoring malicious attempts, so more resources remain in your account for use in your site and not for any malicious actions.


Limitation of efforts

There are two different recommendations regarding the way limiting posts in wp-login.php. The difference is whether you have a static or a dynamic IP. In both cases, the operations are done in the .htaccess file of your hosting account.


Locating the .htaccess file on your hosting account.

The .htaccess file is a peculiar type of file and belongs to the dot files category as otherwise called. These files are usually hidden to the servers, but always provided the ability to edit / view them through the cPanel. Look carefully the following steps:

  1. Login to cPanel
  2. In Files category, click the File Manager option.

    cPanel - Files category- File Manager

  3. Select Document Root for your domain.
  4. Select the Show Hidden Files (dotfiles) option

    cPanel - show hidden folders - Fotfiles

  5. Click the Go button.
  6. Right click the .htaccess file and select Code Edit or Edit.

    cPanel - edit .htaccess

  7. In the popup window click the Edit button.

The editor that opens is the space in which you will Enter the commands you want to protect your account. Let .htaccess file open and review the following instructions to end up in Instruction Set that you will write to the file.


Dynamic or static IP

Depending on the use or non static IP you can select a different set of commands for your .htaccess file.

  • Static IP

    You can take advantage of the static IP address, if you have one or more in your possession, limiting vertically the access in the management environment of your Worpdress only by these IP.

    To achieve this vertical restraint view the code template you can enter in .htaccess file after a little customization you need to do.


    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111$
    RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111$
    RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111$
    RewriteRule ^(.*)$ - [R=403,L]

    At the points where it says 111 put your own IP address that you own and want to be able to login to your Wordpress site.

  • Dynamic IP

    The vast majority of internet users use dynamic IP address. The limitation that can be applied in this case is in the referar of the login page.

    Specifically define that you allow posts on the login form only from the same domain as follows:


    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteRule ^(.*)$ - [F]

    In place of the word example\.com enter your own domain name.

    In this way someone should already be on your page in order to be able to POST on the login page of your Wordpress. Therefore all the scripts and bots that do blind POSTS (Brute Force Attacks) to the login page are blocked

    With this elegant way and making these minimal operations in the .htaccess file of your hosting account, you can get rid of many malicious attempts of login on your site and save resources to your account for actual use.

IPGLOBAL IKE   |  IP.GR Web Hosting and Domain Name registration services in Greece