Use .htaccess to block WordPress brute force attacks

WordPress has been targeted recently for brute force attacks where hackers use automated scripts to try to guess your admin login credentials. Fortunately with a few lines in your .htaccess file you can stop these attacks.

Open up the cPanel file manager and edit your .htaccess file. At the beginning of the file, before anything else, add the following lines of code:


RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]


Be sure to change example\.com to your domain, without the www. It is also important to have the \ before the . or this will not work and you will have an error on your site.

What this script does is check for anyone sending a post request to your wp-login.php script, or any file in the wp-admin folder, and it makes sure that they started they submitted the form from your site. The hacker's script directly access the form, without coming from your site, so this will block them from accessing your site.

If you want to take the security one step further, and you only access your site from one IP address, or a known set of IP addresses, you can limit access to just those IPs.


RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]


In this example, we need to change 123\.123\.123\.123 to your IP address, again making sure there is a \ before each . or you'll get errors. If you need to access from multiple IPs just add more REMOTE_ADDR lines:


RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]

 
  • 5 Users Found This Useful
Was this answer helpful?

Related Articles

How do I embed a Facebook status in a WordPress post?

Facebook now allows you to embed a status update anywhere you want online. One popular place to...

How do I add a category?

Text Version In this tutorial we will be adding a new category to use for posts in...

How do I post a page?

Text Version In this tutorial we will be posting a new page on our WordPress site. This is...

WordPress timing out when posting an article

If WordPress is timing out when you are attempting to post a new article or update an existing...