Securing WordPress from Brute Force Attacks (.htaccess method)

Securing WordPress from a Brute Force AttackMassive brute force attacks against WordPress installations across virtually every web host in existence were reported in April 2013. According to media reports, a large botnet with more than 90,000 servers attempted to log in by cycling different usernames and passwords against the WordPress access points: /wp-login.php and /wp-admin. My websites and those of my customers are among those affected.

Today, it happened again against my server. While working on a couple of my sites this morning, performance suddenly dropped. After a few minutes, I was able to login to my Cpanel and saw the following site statistics:

Brute Force Attack Cpanel Statistics

I immediately contacted my host to find out why I was seeing nearly 100% CPU utilization and 100 Entry Processes. Within minutes I watched the CPU utilization drop to 20% and Entry Processes drop to zero. They emailed back and said my site was again the victim of a brute force attack and they added some code to my .htaccess file to prevent access to wp-login.php. In their email, they said,

To help keep these attackers out and to reduce the site's usage we blocked all access to the "wp-login.php" script through this code we added to your site's ".htaccess" file:

To allow yourself access to WordPress you can change that ".htaccess" rule to the following:

This is all well and good if I were the only user on my site. But I run a multisite instance of WordPress and have hundreds of users accessing protected content. They need to be able to use wp-login to access their materials. So here's a better way of securing WordPress against brute force attack-bots by denying access to no referrer requests by modifying your site's .htaccess file. This fix works against attack-bots only which are from where the majority of brute force attacks originate. This fix will not work against someone who accesses the pages from their browser and deliberately tries to hack your site.

When your readers leave a comment or login to your site, the wp-comments-post.php or wp-login.php file is accessed. These files do their thing, create the post or log a user into the system. When this happens, the user's browser sends a "referral" line about this. The referral line references your website and the files that were accessed.

When a spam-bot arrives, it hits these files directly and doesn't usually leave a referrer. As a result, you can direct the Apache server to detect this no referrer condition and reroute the spam-bot into cyberspace. By adding the code below to your .htacess file, you will accomplish four things:

  1. Detect when a POST is being made
  2. Check to see if the post is on wp-comments-post.php or wp-login.php
  3. Check if the referrer is in your domain or if no referrer
  4. Send the spam-bot BACK to its originating server's IP address.
The above code is for a single site installation. Change to the name of your domain. If you run a multisite installation with mapped domains as I do, then you would use the following code: runs on the Genesis Framework

Genesis FrameworkThe Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Genesis provides the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Check out the incredible features and the selection of designs. It's that simple—start using Genesis now!

Click here to download The Genesis Guide for Absolute Beginners (PDF - 1.4 MB)


  1. Atinder says

    Well, recently Brute force Attacks has immensely increased, becoming a dangerous factor for all WordPress users, but it is a thing, which is fight-able, I mean, by using security methods, we can move brute force attacks out of the window. Although, it can be difficult for newbies, who just got started with WordPress, but he/she can learn by reading posts online and then can implement security.
    In my view, implementing only three tricks works very well, Changing Login Slug, A content Delivery network (CDN) and a Security Plugin, which bans IP address after a few Login attempts.

Leave a Reply

Your email address will not be published. Required fields are marked *