Quick Tip: Protect Your WordPress Login Page From Brute Force Attacks

By 
on June 10, 2014 in Blog Management
4
0

Lock Down Your Blog

If you're a WordPress blogger, chances are that you're aware of the massive brute force attempts targeting WordPress sites lately. If you're not sure what these are, basically it's when someone attempts to hack your site by guessing your username and password. But they usually do this with bots that let them automate the process, and your site can be hit hundreds (if not thousands) of times a day. And if you don't have any brute force protection on your server or your WordPress installation, you might never know until someone hacks your site.

Fortunately you can block these attempts fairly easily.

Brute Force Protection Plugins

One way to protect your site is to install a WordPress security plugin that offers brute force protection. These will generally let you decide how many login attempts a user gets before they're automatically locked out and unable to try again for a certain amount of time.

The problem with this method is that potential hackers still get to try at all. So you're still at risk. And giving them access to the login page still allows them to automatically try to login with different usernames and different IP addresses at a frequency that can slow down your site.

Protecting wp-login.php

These days I go a step farther for any site where I'm the only person who needs to log in. I limit access to the wp-login.php file (and sometimes the wp-admin folder) to my IP address. If you have a dynamic IP address that occasionally changes, you can always update this in your .htaccess file by logging into your hosting account, so temporarily losing access to the WP login page isn't a big deal.


Advertisement

To make your wp-login.php file accessible only via your IP address, open your .htaccess file in your site's files and add the following (replacing the Xs with your IP address, which you can discover by visiting WhatIsMyIP.com):

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$
RewriteCond %{REMOTE_ADDR} !^x\.x\.x\.x$
RewriteRule ^(.*)$ - [R=403,L]

For example, if your IP address is 123.456.789.0, you would add the following to your .htaccess file:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0$
RewriteRule ^(.*)$ - [R=403,L]

By no means is this the only way to protect your WordPress login page. But it's a quick fix and a good start if you're the only one who needs to access it. And this keeps bots from slowing things down with repeated login failures.

If you'd like to learn how to tweak this to also limit the wp-admin folder to your IP address, or if you want to allow multiple IP addresses to log into your site, InMotion Hosting as a great guide on taking this farther.

How do you protect your WordPress login page? Do you simply rely on plugins that stop attacks only after some attempts have been made? Do you change the location of your login page to make it more difficult for automated hacking attempts to find? Do you use a front-end login page with its own protection against automated brute force attacks (like a honeypot to stop bots from submitting the form in the first place)? Share your strategies, experience, or tips in the comments.

Have a request for the Tuesday Quick Tips series? Submit your quick tip request (or any reader question) using the free writing advice form.

Like this? Please share.
Tweet about this on TwitterGoogle+Share on FacebookPin on PinterestShare on LinkedInBuffer this pageShare on RedditShare on StumbleUponEmail to someone
Short URL: http://3bm.co/1xEIWjX
The following two tabs change content below.

Jennifer Mattern is a professional blogger, freelance business writer, and indie author. She began writing for clients in 1999 and started her first blog in 2004.

She owns 3 Beat Media - a publishing and client services company which operates All Indie Writers as well as several other websites and blogs including The Busy Author's Guide and BizAmmo. Jenn comes from a background in online PR and social media consulting, having owned a small PR firm for several years before choosing to pursue a full-time writing and publishing career.

Jenn also writes fiction under multiple pen names in the areas of children's fiction, mysteries, and horror fiction. Jenn is an active member of the Horror Writers Association (HWA) and currently serves as the organization's Assistant Coordinator of Promotions and Social Media.


key to writing success
Your key to a more successful writing career:
Join the FREE All Indie Writers community. Register today for access to the writing forums, and be one of the first to gain access to new e-courses, coming soon!

The 30 Day Marketing Boot Camp for Freelance Writers

4 Comments

  1. Cathy Miller June 10, 2014 Reply

    I have been very happy with the Wordfence security plugin. A techie person recommended it and I have had it for a few years. They have a free version but I quickly upgraded as I didn’t feel the free version (at the time) got as much of their attention.
    Cathy Miller recently posted…A Word LinkedIn Job Posters Should UnderstandMy Profile

    • Author
      Jennifer Mattern June 10, 2014 Reply

      I keep hearing good things about that one Cathy. Probably from you! ;) In my case I just hesitate to install the more comprehensive security plugins if I can do what I need without them because of compatibility issues. It’s rare that I can introduce a big plugin and not have it break something else (at least here where so many are required). But one of these days I’ll have to give it a try on a newer site and see how it works in comparison. :)

  2. Amandah June 11, 2014 Reply

    Thanks for the tip!

    I hired a “techie” to do secure my website because I noticed people were creating posts on my site. Yikes! I’ve used WP since 2008 and never had this happen to me.

    Question for you… Who do you recommend for web hosting? I use Blue Host and upgraded to their VPS server and have had issues regarding backup. It may be time to move to a new hosting company. Thank you!
    Amandah recently posted…3 Effective Ways to Boost Your Health and Wellness BlogMy Profile

    • Author
      Jennifer Mattern June 11, 2014 Reply

      Oh no! I hope they were able to sort out the hack.

      I’m not at all a fan of BlueHost. They and 1&1 are awful, and I would never touch them for WordPress hosting. When I started out, I mostly used HostGator, and I was happy with them for the most part (though I did leave in large part due to a customer service issue). Now I mostly use MyHosting.com based in Toronto. I remember setup being a bit of a pain with them for a VPS, but once I got past that I haven’t had any real issues. There’s occasional downtime like there is with any host, but it’s less than other hosts I’ve used and they tend to be very responsive and quick to resolve things (and the problems are on my end as much as theirs).

      Who did you use to secure your site? I used Rack911 and loved them. But you have to remember with every plugin update, theme update, or new site installation you open the door to new vulnerabilities. So you have to keep and eye on things and periodically improve what you can. The worst attack I’ve had to deal with was a result of a plugin exploit. While I know there’s always a risk, I certainly hope I never have to deal with something to that scale again.

Add comment

By using this comment form you agree to the site's Comment Policies.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Current ye@r *

CommentLuv badge