Wordpress wp-login.php Brute Force Attacks


Wordpress wp-login.php - Brute Force Attack

Over the past few months there has been a highly-distributed WordPress attack focusing on the wp-login.php script. Following is a protective measure against these attacks from causing your server or site to crash.

Password Protect Your wp-login.php

The following steps can be used to secure (by password protection) wp-login.php for all WordPress sites.

Add the following to the top of your .htaccess file -

ErrorDocument 401 "Denied" 
ErrorDocument 403 "Denied"

# Stop Apache from serving .ht* files
<Files ~ "^\.ht"> Order allow,deny Deny from all </Files>

# Protect wp-login
<Files wp-login.php>
AuthUserFile /var/www/vhosts/yourdomain.com/httpdocs/.htpasswd
AuthName “Private access”
AuthType Basic
require user mysecretuser

The actual location of AuthUserFile depends on your server, and the 'require user' will change based on what username you pick. The above example indicates an AuthUserFile path on a Plesk hosting control panel server.

Now you will need to create the .htpasswd file shown in the AuthUserFile path and add the desired username and password to it. You can do so quickly using the online Htpasswd Generator. Simply enter the same username you set in the 'require' line of the above code you entered into your .htaccess file and enter a strong password. Click the 'Create .htpasswd File' button and it will display a string of text. Copy that text (which is your username and encrypted password) and place it into the .htpasswd file.

From this point on, you will be prompted for a username and password before the server will display your Wordpress login page. The login and password for this first layer of protection is the same username and password you entered in the Htpasswd Generator page and not your Wordpress administrator login and password.

If you need further assistance, please contact your Netsonic representative or submit a support request.