Articles on: WordPress

Brute Force Protection for Wordpress Blog

Recently, brute force attack is occurring on WordPress installations around the world.
It is a well coordinated attack and it's currently hitting a large number of installs.

They are trying to gain access to WordPress logins by using easily guessable passwords.
If you password protected your WordPress using something from a dictionary such as
"p4ssw0rd" or "abc123" then your blog can be vulnerable. Once they gain accesss, they
upload malicious files to the directory which enables them to spam or collect personal information.

The symptoms of this attack are sluggish access to your WordPress site, or an inability to log in.
In some instances your site could even intermittently go down for short periods.

To mitigate this attack, you are advised to set a stronger password and add another
layer of protection by password protecting your wp-login.php

Here's the method on how to add the additional protection layer to your Wordpress blog:

Step 1: Create the Password File

Create a file named .wpadmin and place it in your home directory, where visitors can't access it.

EXAMPLE: /home/username/.wpadmin

cPanel/DirectAdmin home directory: /home/username/ (where 'username' is the cpanel/directadmin username of your account).
WebsitePanel home directory: /home/domain/ (where 'domain' is the domain name associated with your hosting account).

Open a new web browser and type and enter your username and password.

Put the username and encrypted password inside the .wpadmin file, using the format username:encryptedpassword
For example, my output is

Save the .wpadmin file and upload it using FTP client or File Manager into /home/username.

Step 2: Update the .htaccess File

Under your publicly accessible directory, the last step is to place the following code in the /home/username/.htaccess file:

ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/_username_/.wpadmin
require valid-user

Note: replace "username" above with your cPanel username.

Updated on: 13/12/2018

Was this article helpful?

Share your feedback


Thank you!