Stop Brute Force WordPress Login Attempts

How to Stop Brute Force Wordpress Login Attempts

Real quick

We’re going to create a login prompt before your login page. It sounds silly, or annoying, but it works. Before the attacker can reach your WP Login page, we want to ask them to login. This login promt can take a beating and your server will barely notice.

We’ll use a couple of .htaccess files and a few cPanel settings to make it happen.

It happened to us

We started our day with a message from our host. Our company website was down, and so was every client website on our server. The feeling of panic in the morning is like having an out-of-body experience. You’re not awake enough to really feel it, yet you see yourself doing triage. We asked the host what was up, and they told us it looked like a brute force attack on the company website’s WordPress login page. So we suspended the site, and our client websites came back online. We removed the suspension after a while, and the attack came back in full force within minutes. That's a problem you really don't want.

Why a brute-force attack can take your site down

When you log in to your WordPress site, you make a server request: please check my username and password and respond, good or bad. That takes a moment. When you sick a robot on those WP login fields, that takes a lot more time and a lot more resources. Your server can’t handle the requests and can no longer serve web pages to customers. Your site is down.

A simple way to prevent this

We’re going to create a login prompt before we can reach the WP Login page. So you’ll have to get through this one first. What works isn’t the double login, though that is a nice feature. What makes this method great is this initial prompt allows bots to throw their worst at it, and the server won’t feel a thing. Your site stays up, and the bot stays out.

Server login prompt

Note: First, the way I figured this out was by reading a post our hosting company wrote. It’s got a few issues, but if my instructions are not working for you, you can try theirs.

cPanel Settings

  1. Login to the cPanel account you want to protect.
  2. Click Directory Privacy
  3. Navigate to the /public_html/wp-admin folder and click the Edit button.
  4. Give it this name: wp-admin
  5. Go back and set a username and password. Make it good. You’ll need to enter this correctly to reach the WP Login page.

The cPanel part is done. Now we need to access the .htaccess file that sits in your public-facing root directory (usually public_html).

.htaccess Changes

Edit the .htaccess file and add the following code. I put it at the top, before any WP stuff or PHP handling, but it might work just as well at the bottom.

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

# Protect the wp-admin directory
<Files wp-login.php>
AuthType Basic
AuthName "wp-admin"
AuthUserFile "/home/your_account/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</Files>

Your path next to AuthUserFile will be different. I find the path in cPanel’s File Manager in the top left corner.

Save this file to the server. Now we have one more change to make.

One more .htaccess change

In your /wp-admin directory you might find a .htaccess file. If so, edit it. If not, create one. Then add the following code:

Order allow,deny
Allow from all
Satisfy any
 
AuthType Basic
AuthName "wp-admin"
AuthUserFile "/home/your_account/.htpasswds/public_html/wp-admin/passwd"
require valid-user

Again, you’ll need to set the path correctly.

Edit: 12/10/2021

The current version of cPanel now creates the /wp-admin/.htaccess file for you. I no longer create or edit this file when setting up directory privacy for a new website.

Save this file to the server and head over to your website homepage. You should still be able to view pages and navigate around your website without any issues.

Now try to login to WordPress, however you do that. I tend to add /login to the end of the site URL if permalinks are setup to use the post name. In any case, you should see a login prompt you haven’t seen before. Enter the username and password you created earlier. If you got it right, you should be directed to your WP Login page.

In case things get messed up

Editing .htaccess files can cause your site to stop working. If that’s the case, undo the changes to both of the files we edited and save them. Those filenames are:

/.htaccess
/wp-admin/.htaccess

Now see if your troubles go away. If not, undo the changes you made to cPanel. Then come back here and make sure you followed the instructions correctly. If you have any trouble, write me here and let me know. Or try the original instructions from InMotion hosting for more clues to your problem.

Work with us

Start your project

Thank you for considering us! To get the conversation started, please fill out this short form. We'll get back to you within the next busines day.

Type of Project

The Details

Timeline

Budget

Referral

Hello!

How can we help you? Please fill out the form below and we'll respond within the next business day.

You are unique

Let us tailor an approach to your project that fits your budget and achieves the best possible outcome.

413-854-4599 sales@gemini-creative.com