Web hosting companies around the world are seeing a radical increase in the number of WordPress brute-force login attempts.

My goal in writing this article is to provide tips on how to secure your website against brute-force attacks.

My password is
Your neighbor may be attempting to hack your website at this very moment!

The days of mass denial of service attacks originating from Asia or Europe seem to have been overshadowed by PC hacks originating in the good ol’ US of A. By some accounts, over 100,000 unique IP addresses were involved in the April 2013 attack, a good majority of which appeared to be originating through compromised PC’s in North America.
Five tips to block brute force attacks (from easiest to maybe a bit paranoid)


1. Why give bots a username to chew on?

Delete the “admin” and “administrator” usernames from your WordPress installations.


2. Plugins are a man’s best friend.

WordPress plugins like these are well regarded options:


3. Forget what every security expert has told you about passwords and retrain your brain to use pass-phrases instead. Decide on three or four words, like, sitedomain.password.yourkeyphrase Less memorization on my part, and no bot is going to figure out my 30 character password, unless I remove my tin foil cap. They can Bite my shiny metal…


4a. Disable “post” access to wp-login.php by adding this text to the top of your .htaccess file:

<ifmodule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(.*)?hackguard\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

Stop WordPress wp-login.php Attacks
Just replace hackguard with your domain, and save. Be careful to leave that “\” in place before your .com/net/etc. This text simply prevents bots from “posting” against the default WordPress login script.*

*Rumor has it that while this post blocking will stop most WordPress brute force attacks instantly, you cannot use this on a website which requires registration confirmation via a link back to your blog.


4b. If the above .htaccess edit does appear to be blocking connections as well as hoped then try this last resort option: – Rename your wp-login.php file to something like wp-login123.php, then place a blank wp-login.php file in it’s place.

Then edit /wp-includes/general-template.php

and replace all wp-login.php text with your new login file name. This change prevents bots from connecting to your login page, thus reducing MySQL loading of your server.

*Just remember, your changes will be overwritten the next time you upgrade WordPress.


5. How do I restrict access to my WordPress login page?

If you are the only administrator and your IP address rarely or never changes, then try restricting access to your login page solely to you. Add this to the top of your .htaccess file:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^0\.0\.0\.0$
RewriteRule ^(.*)$ - [R=403,L]


And Voilà!  Bots go Bye Bye!


6. How do I block a range of IP addresses?

Sadly, there may come a time when you simply need to block one or a range of IP addresses. The solution is simple enough. Just add this to the top of your .htaccess file:

# Block Mass IP Connections
 order allow,deny
 allow from all
 deny from
 deny from 0.0.0.


And Enjoy!

I’ve posted a few basic article links below. Likewise, if you have questions just pick up the phone and call anytime, Jim Walker, The Hack Repair Guy, (619) 479-6637

HackGuard.com | Managed WordPress Update Service


Please feel free to comment via WordPress, Twitter, or Facebook

Proactive WordPress Security Management for Pennies a Day™
© Copyright 2024 HackGuard.com™, HackRepair.com™,
The Hack Repair Guy™, Hack Repair Guy™
Copyright and Trademark Statement | Privacy Policy

Call HackRepair.com for website security help, (619) 479-6637.
Content Approved By Jim Walker, The Hack Repair Guy