Dealing Brute Force Attacks: Password Protect the wp-login.php File
If you’re running a WordPress based blog/website, you’d have surely noticed it going down more often than usual. The most probable reason for that is the ongoing large-scare brute force attacks specially targeting self-hosted websites based on WordPress. As most of us use shared web-hosting, the server sometimes receives too many continuous login attempts on all of the sites which results in a state of partial overloading and hence the result being some downtime.
Besides downtime, the other issue is that hackers are continuously trying different password combinations and if you’re using a weak password, there is a good chance that the hackers will be able to guess it out and get access to your Admin dashboard. So how to deal with it? There are some good steps that you can take, one of which is to add another .htaccess based password to your wp-login.php page. Here’s how you can do that:
Since cPanel is used by most of the web hosts, we’re only going to discuss the steps for cPanel based sites only.
Firstly you need to create the .htpasswd file which stores your username and password. Password is stored in an encrypted form so you need to use some online service to generate that. If you don’t know of any, you can use the one created by Andreas Gehrke. Just enter your desired username and password and the service will provide you the encrypted version of the form – username:password(encrypted)
Now log into your cPanel accout and access your file manager to open the home directory (check on show hidden files). Make sure that your are not in the public_html directory and instead the home directory. Here create a new file called wplogin and paste the generated username:password combination (generated in step 1) into it. Save the file when done.
Now open the public_html directory and edit your main .htaccess file. Paste the following towards the top (or anywhere you find feasible) of the .htaccess file:
1 2 3 4 5 6 7 8
ErrorDocument 401 "Unauthorized Access! You need to provide valid credentials to login" ErrorDocument 403 "Forbidden! You're not allowed to access this page." <Files "wp-login.php"> AuthName "Administrators Only!" AuthType Basic AuthUserFile /home/USERNAME/wplogin require valid-user </Files>
Replace username in the code above with your cPanel account username. The username is also the name of your home directory. Save the file when done.
That’s it. The next time you will access your wp-login.php file, it will ask you to enter the created username and password combination. You will be presented with the WordPress login page if you enter the correct password.
Its so easy, but makes it 2x harder for someone to crack your WordPress password as the hacker will be required to guess two login combinations before he can reach your admin panel. For 99.9% of the cases, this will be completely impossible.
Some other things that you can do to secure your WordPress blog from hackers:
1. Don’t use the default ‘Admin’ username as it is the most targeted username by the hackers.
2. Create a secure and different password for your login. If it gets hard for you to remember such passwords, start using password managers like LastPass.
3. Limit continuous failed login attempts using a plugin like ‘Login Security Solution’.