Complete Stop WordPress Brute Force Login Attack Easily

WordPress is one of the best and popular blogging platform out there. As a result of that, its the best hackers target platform. When your WordPress site becoming more and more popular, your site faces brute force attacks. With this unauthorized login access, there’s a possibility for hackers to gain your site admin access.

There are several methods to limit the WordPress brute force attack. In this method, I’m going to show you how to password protect protect wp-login.php page with WordPress password protect directories credentials. Therefore, this is easier than other similar method. You don’t need to create a password file and upload to your web host account. In this method, when someone request the your site login page, it shows a popup login window. These botnet attack tools can’t submit login info to that window.

However, this is not the only method to limit WordPress brute force login attacks. There are other alternative methods. Such free WP plugin based methods (for an instance LimitLogin and WordFense). However, in recently there is as highly distributed WordPress brute force attack. It uses spoofed or forged IP addresses. These IP addresses are changing every minute/seconds. Therefore, with plugin based method, it’s hard to ban all the attacking IP address.

WP logo

As I mentioned above, this wp-login.php password protection method has mainly two steps. First, you have to enable WordPress password protect a directory for wp-admin in cPanel. Then, using that login credentials, protect the wp-lgoin.php file.

 This is a sample screenshot of the popup window.demo screenshot

How to protect the wp – admin directory.

 

  • Log-in to your hosting account cPanel.
  • Navigate to cPanel “Security” tab and click on the “Password Protect Directories”.
  • Next flash popup window, choose “Web Root (public_html/www)” and check “” Then click on the “Go” button.

WP Directory Selection

  • Select the folder that we need to protect. In this case you have to select “wp-admin” directory.

Select wp-admin

  • Create a user for a new protected directory. Under the “Create User” type a suitable user name and password. This user name and password should be unique. If your WordPress site has a multiple authors, all of them should have to use, this step created user name and password. Therefore, don’t use your WordPress site login credentials in here.

Add user to password protected area

  • Next, add the user. Click on the “add/modify authorized user” button.
  • Under the “Security Settings:” check the “:” check box. In addition to that, type a suitable phrase in the “:”. This phrase will show every time when someone request the wp-login page and wp-admin directory. For an instance “Admin Only“.
  • Click “Save” button to apply the changes.

 

 

How to protect wp-login.php with a password.

 

This step will cover the wp-login.php password protection steps. In order to follow these steps, you have to successfully follow the above guide.

  • Log-in to your hosting account cPanel.
  • Navigate to “files” tab and click on the “file manager”.

cPanel file manager

  • In directory selection popup, light box, choose the “Web Root (public_html/www)” option and check “Show Hidden Files (dotfiles)” option. Then click “Go” button.
  • In a new tab, the cPanel file manager  will open. Search its “.htaccess” file. Normally it’s located at the top of the page.
  • Select the.htaccess and click on the “Edit” button at the top of the page. Alternately, you can right click on the.htaccess and select edit option.

edit htaccess file

  • In “Text Editor” light box chooses “Edit” button.
  • Now paste following code into your.htaccess file to protect wp-login. php page. After pasting it, replace it “cPanel User name here” with your actual cPanel user name. If your WordPress site installed in a sub folder, change the AuthUserFile location accordingly. In my case I have installed WP in a root directory. If your site uses a custom login page, change the following code contain wp-login.php with relevant page name.
<FilesMatch “wp-login.php”>
AuthType Basic
AuthName “Secure Area”
AuthUserFile “/home/cPanel User name here/.htpasswds/public_html/wp-admin/passwd”
require valid-user
</FilesMatch>
  • Then add the following code right after the above code. Fist code will fix the Ajax break issue. Second code will fix the 404 not found errors.
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

ErrorDocument 401 /
  • Now everything completed. You can try to log-in to your WordPress login page to test it’s protected.

Recommended reading

If the wp-login.php password protected, every time someone request that page, you can see a popup window and request a user name and a password. If the user fails to submit correct credentials, login page will be prohibited. Now you are safe from WordPress brute attack.