How To Prevent Brute Force Login Attempts by Password Protection login.php

Updated November 15th, 2017
Updated November 15th, 2017
Share this post:
Share on facebook
Share on twitter
Share on reddit
Share on linkedin
Share on pinterest
Share on pocket
Share on email
Share on print

Given the popularity of WordPress, attacks by distributed software and hardware are uncommon, and even recently there was a login brute force attack directed at a host of high profile WordPress websites. However, brute force attacks can be prevented and the following article will show you how to do it.

Password protecting the login.php file

In order to protect this file, there are two steps take: First up, you need to create a password definition in the .wpadmin file and then you have to activate it in the .htaccess file.

The password file creation is relatively easy; you have to actually create a file and title it .wpadmin and place it in the WP home directory (the period symbol <.> character is preceded by the file name so don’t forget it).

An example would be  /var/www/vhosts or /var/www/vhosts/domain. – but follow your particular path.

Then, edit the .wpadmin file to contain the following line:

username:encryptedpassword

Example: Gina: s5MfEoHJIQkKg – the name – Gina is your username, and the string of text following is the encrypted password.

Another way to get it done is to follow these steps:

  1. Visit: http://www.htaccesstools.com/htpasswd-generator/
  2. Create your password by following the steps required
  3. Login to cPanel using a different browser or a different tab in your browser
  4. Click on the File Manager tab
  5. Select Home Directory
  6. Check Show Hidden Files (dotfiles) unless it’s not already ticked
  7. Click the Go button

You should now see the .wpadmin file:

If you see it, right-click it and select the Code Edit option to open the editing tool. Click the Edit button and then edit your file.

If it’s absent, then use the New File option, and name it .wpadmin. Then click the Create New File button. Now it’s time to make use of the code that the website gave you. When you’re done, click Save changes button and then close the file.

If you don’t mind a bit of command line wizardry, you can get it all done with fewer external sources, via the .htaccess file and the utility htpasswd. You can find it here.

The following step would be to update your .htaccess file, and after you refresh it all the domain pages that share the .wpadmin file will be protected. To finish up you need to paste the following code into your .htaccess file:

ErrorDocument 401 "Unauthorized Access"

ErrorDocument 403 "Forbidden"

<FilesMatch "wp-login.php">

AuthName "Authorized Only"

AuthType Basic

AuthUserFile /home/username/.wpadmin

require valid-user

</FilesMatch>

Note that the username needs to be replaced by the actual cPanel that you actually use.

Code Sources: http://support.hostgator.com, http://codex.wordpress.org/Brute_Force_Attacks

Share this post:
Share on facebook
Share on twitter
Share on reddit
Share on linkedin
Share on pinterest
Share on pocket
Share on email
Share on print
Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on email

Responses

Your email address will not be published. Required fields are marked *

WPLearningLab