Use .htaccess to block WordPress brute force attacks

WordPress has been targeted recently for brute force attacks where hackers use automated scripts to try to guess your admin login credentials. Fortunately with a few lines in your .htaccess file you can stop these attacks.

Open up the cPanel file manager and edit your .htaccess file. At the beginning of the file, before anything else, add the following lines of code:


RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]


Be sure to change example\.com to your domain, without the www. It is also important to have the \ before the . or this will not work and you will have an error on your site.

What this script does is check for anyone sending a post request to your wp-login.php script, or any file in the wp-admin folder, and it makes sure that they started they submitted the form from your site. The hacker's script directly access the form, without coming from your site, so this will block them from accessing your site.

If you want to take the security one step further, and you only access your site from one IP address, or a known set of IP addresses, you can limit access to just those IPs.


RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]


In this example, we need to change 123\.123\.123\.123 to your IP address, again making sure there is a \ before each . or you'll get errors. If you need to access from multiple IPs just add more REMOTE_ADDR lines:


RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]

 
  • 5 Users Found This Useful
Was this answer helpful?

Related Articles

How do I update my profile?

Text Version In this tutorial we will be updating a user profile in WordPress. Begin by...

How do I change the theme?

Text Version WordPress comes with built in themes, but if you want to customize your site you...

How do I manage the dashboard?

Text Version In this tutorial we will be exploring the new WordPress dashboard. They have...

Displaying the most recent posts from a single category in WordPress

Have you ever seen a site that showed the most recent post or posts from a single category? If...