Stop Brute Force WordPress Login Attempts
Real quick
We’re going to create a login prompt before your login page. It sounds silly, or annoying, but it works. Before the attacker can reach your WP Login page, we want to ask them to login. This login promt can take a beating and your server will barely notice.
We’ll use a couple of .htaccess files and a few cPanel settings to make it happen.
It happened to us
We started our day with a message from our host. Our company website was down, and so was every client website on our server. The feeling of panic in the morning is like having an out-of-body experience. You’re not awake enough to really feel it, yet you see yourself doing triage. We asked the host what was up, and they told us it looked like a brute force attack on the company website’s WordPress login page. So we suspended the site, and our client websites came back online. We removed the suspension after a while, and the attack came back in full force within minutes. That's a problem you really don't want.
Why a brute-force attack can take your site down
When you log in to your WordPress site, you make a server request: please check my username and password and respond, good or bad. That takes a moment. When you sick a robot on those WP login fields, that takes a lot more time and a lot more resources. Your server can’t handle the requests and can no longer serve web pages to customers. Your site is down.
A simple way to prevent this
We’re going to create a login prompt before we can reach the WP Login page. So you’ll have to get through this one first. What works isn’t the double login, though that is a nice feature. What makes this method great is this initial prompt allows bots to throw their worst at it, and the server won’t feel a thing. Your site stays up, and the bot stays out.
Note: First, the way I figured this out was by reading a post our hosting company wrote. It’s got a few issues, but if my instructions are not working for you, you can try theirs.
cPanel Settings
- Login to the cPanel account you want to protect.
- Click Directory Privacy
- Navigate to the /public_html/wp-admin folder and click the Edit button.
- Give it this name:
wp-admin
- Go back and set a username and password. Make it good. You’ll need to enter this correctly to reach the WP Login page.
The cPanel part is done. Now we need to access the .htaccess file that sits in your public-facing root directory (usually public_html).
.htaccess Changes
Edit the .htaccess file and add the following code. I put it at the top, before any WP stuff or PHP handling, but it might work just as well at the bottom.
ErrorDocument 401 "Denied" ErrorDocument 403 "Denied" # Protect the wp-admin directory <Files wp-login.php> AuthType Basic AuthName "wp-admin" AuthUserFile "/home/your_account/.htpasswds/public_html/wp-admin/passwd" require valid-user </Files>
Your path next to AuthUserFile
will be different. I find the path in cPanel’s File Manager in the top left corner.
Save this file to the server. Now we have one more change to make.
One more .htaccess change
In your /wp-admin directory you might find a .htaccess file. If so, edit it. If not, create one. Then add the following code:
Order allow,deny Allow from all Satisfy any AuthType Basic AuthName "wp-admin" AuthUserFile "/home/your_account/.htpasswds/public_html/wp-admin/passwd" require valid-user
Again, you’ll need to set the path correctly.
Edit: 12/10/2021
The current version of cPanel now creates the /wp-admin/.htaccess file for you. I no longer create or edit this file when setting up directory privacy for a new website.
Save this file to the server and head over to your website homepage. You should still be able to view pages and navigate around your website without any issues.
Now try to login to WordPress, however you do that. I tend to add /login
to the end of the site URL if permalinks are setup to use the post name. In any case, you should see a login prompt you haven’t seen before. Enter the username and password you created earlier. If you got it right, you should be directed to your WP Login page.
In case things get messed up
Editing .htaccess files can cause your site to stop working. If that’s the case, undo the changes to both of the files we edited and save them. Those filenames are:
/.htaccess /wp-admin/.htaccess
Now see if your troubles go away. If not, undo the changes you made to cPanel. Then come back here and make sure you followed the instructions correctly. If you have any trouble, write me here and let me know. Or try the original instructions from InMotion hosting for more clues to your problem.
You are unique
Let us tailor an approach to your project that fits your budget and achieves the best possible outcome.
413-854-4599 sales@gemini-creative.com