WordPress has been targeted recently for brute force attacks where hackers use automated scripts to try to guess your admin login credentials. Fortunately with a few lines in your .htaccess file you can stop these attacks.
Open up the cPanel file manager and edit your .htaccess file. At the beginning of the file, before anything else, add the following lines of code:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
Be sure to change example\.com to your domain, without the www. It is also important to have the \ before the . or this will not work and you will have an error on your site.
What this script does is check for anyone sending a post request to your wp-login.php script, or any file in the wp-admin folder, and it makes sure that they started they submitted the form from your site. The hacker's script directly access the form, without coming from your site, so this will block them from accessing your site.
If you want to take the security one step further, and you only access your site from one IP address, or a known set of IP addresses, you can limit access to just those IPs.
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
In this example, we need to change 123\.123\.123\.123 to your IP address, again making sure there is a \ before each . or you'll get errors. If you need to access from multiple IPs just add more REMOTE_ADDR lines:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
- 5 Users Found This Useful