Recently, all the WordPress websites that I manage came under persistent, automated hacking attempts. Each site was receiving multiple attempts to log into the nonexistent admin account. These brute-force attempts at guessing passwords all came from different IP addresses making it impossible to block them all.
Although I use CloudFlare as both a content delivery network (CDN) and for the added security benefits, it was not helpful in this instance, as the hack attempts were often coming from compromised webservers and the WordPress login page (wp‑login.php) is not cached by CloudFlare’s CDN.
My first line of defence was to lock down the websites using the WordFence plugin’s security setting at Level4: Lockdown. This instantly blocked IP addresses that were attempting to login as the nonexistent admin account. Unfortunately, each IP adress was only hitting my site once, so it didn’t help much, and I received an email each time one of these attempts was blocked, which was slightly annoying.
Finally, I received two “final warning” emails from my webhost, threatening to suspend my account due to “CPU abuse” (for all the excessive attempts at guessing passwords). Luckily, they were helpful, and pointed me to a knowledge base article about using .htaccess to request a password before allowing access to wp‑login.php. This was ok, but I was a little resentful at having to enter two sets of login credentials each time I wanted to access each of the WordPress sites.
After a little research, I found that I can whitelist my IP address (in my case, a block of IP addresses as my IP address isn’t static). This way, I will only be asked to enter an extra username and password if I connect from another location. Here are the steps to take:
- Create an htpassword file called something like .wpadmin (I used an htpassword generator website)
- Put the password file in the home directory of your hosting account (where it cannot be accessed from the web)
- Add the code to your .htaccess file:
# Begin Block Access To WP-Login
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
Deny from all
AuthName "Authorisation Required"
Allow from 192.168.0.0/16
Allow from 10.1.1.82
# End Block Access To WP-Login
Note: Make sure you enter the correct IP addresses to whitelist and put the correct path to the .wpadmin (htaccess) file. In the code above, I’m using 192.168.0.0/16 to demonstrate a range of IP address and 10.1.1.82 to demonstrate a single IP address.
I recommend this strategy as part of a layered security approach for all WordPress sites.
- Hostgator – WordPress Login – Brute Force Attack
- stackoverflow – .htaccess / .htpasswd bypass if at a certain IP address