Brute Force Protection for Wordpress Blog
Recently, brute force attack is occurring on WordPress installations around the world.
It is a well coordinated attack and it's currently hitting a large number of installs.
They are trying to gain access to WordPress logins by using easily guessable passwords.
If you password protected your WordPress using something from a dictionary such as
"p4ssw0rd" or "abc123" then your blog can be vulnerable. Once they gain accesss, they
upload malicious files to the directory which enables them to spam or collect personal information.
The symptoms of this attack are sluggish access to your WordPress site, or an inability to log in.
In some instances your site could even intermittently go down for short periods.
To mitigate this attack, you are advised to set a stronger password and add another
layer of protection by password protecting your wp-login.php
Here's the method on how to add the additional protection layer to your Wordpress blog:
Create a file named .wpadmin and place it in your home directory, where visitors can't access it.
EXAMPLE: /home/username/.wpadmin
cPanel/DirectAdmin home directory: /home/username/ (where 'username' is the cpanel/directadmin username of your account).
WebsitePanel home directory: /home/domain/ (where 'domain' is the domain name associated with your hosting account).
Open a new web browser and type http://www.htaccesstools.com/htpasswd-generator/ and enter your username and password.
Put the username and encrypted password inside the .wpadmin file, using the format username:encryptedpassword
For example, my output is
apple:$apr1$gaulVKEm$smsg6EJU6LijtwycYsPry0
Save the .wpadmin file and upload it using FTP client or File Manager into /home/username.
Under your publicly accessible directory, the last step is to place the following code in the /home/username/.htaccess file:
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/_username_/.wpadmin
require valid-user
</FilesMatch>
Note: replace "username" above with your cPanel username.
It is a well coordinated attack and it's currently hitting a large number of installs.
They are trying to gain access to WordPress logins by using easily guessable passwords.
If you password protected your WordPress using something from a dictionary such as
"p4ssw0rd" or "abc123" then your blog can be vulnerable. Once they gain accesss, they
upload malicious files to the directory which enables them to spam or collect personal information.
The symptoms of this attack are sluggish access to your WordPress site, or an inability to log in.
In some instances your site could even intermittently go down for short periods.
To mitigate this attack, you are advised to set a stronger password and add another
layer of protection by password protecting your wp-login.php
Here's the method on how to add the additional protection layer to your Wordpress blog:
Step 1: Create the Password File
Create a file named .wpadmin and place it in your home directory, where visitors can't access it.
EXAMPLE: /home/username/.wpadmin
cPanel/DirectAdmin home directory: /home/username/ (where 'username' is the cpanel/directadmin username of your account).
WebsitePanel home directory: /home/domain/ (where 'domain' is the domain name associated with your hosting account).
Open a new web browser and type http://www.htaccesstools.com/htpasswd-generator/ and enter your username and password.
Put the username and encrypted password inside the .wpadmin file, using the format username:encryptedpassword
For example, my output is
apple:$apr1$gaulVKEm$smsg6EJU6LijtwycYsPry0
Save the .wpadmin file and upload it using FTP client or File Manager into /home/username.
Step 2: Update the .htaccess File
Under your publicly accessible directory, the last step is to place the following code in the /home/username/.htaccess file:
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/_username_/.wpadmin
require valid-user
</FilesMatch>
Note: replace "username" above with your cPanel username.
Updated on: 13/12/2018
Thank you!