• Skip to main content

Victor Font Consulting Group, LLC

Digital Business Strategists

Call Us Toll Free:

1-844-VIC-FONT (842-3668)

  • Home
  • Care Plans
    • Care Articles
    • Optional Subscriptions
  • Consultations
  • Products
    • Code Snippets
    • Public GitHub Repositories
    • Gist Snippets
    • Pastebin Snippets (Free)
    • Free Plugins
  • FAQs
  • Support
    • Graphic Design
  • Our Team
    • Contact
    • Speakers
    • Portfolio
  • Resources
    • Free WordPress Video Training
    • Tutorials
    • Articles
    • Cybersecurity
    • EU Referral Network
You are here: Home / Best Practice / Securing WordPress from Brute Force Attacks (.htaccess method)

Securing WordPress from Brute Force Attacks (.htaccess method)

By Victor M. Font Jr.
June 3, 20132 Comments

Securing WordPress from a Brute Force Attack

Massive brute force attacks against WordPress installations across virtually every web host in existence were reported in April 2013. According to media reports, a large botnet with more than 90,000 servers attempted to log in by cycling different usernames and passwords against the WordPress access points: /wp-login.php and /wp-admin. My websites and those of my customers are among those affected.

Today, it happened again against my server. While working on a couple of my sites this morning, performance suddenly dropped. After a few minutes, I was able to login to my Cpanel and saw the following site statistics:

Server Utilization image

I immediately contacted my host to find out why I was seeing nearly 100% CPU utilization and 100 Entry Processes. Within minutes I watched the CPU utilization drop to 20% and Entry Processes drop to zero. They emailed back and said my site was again the victim of a brute force attack and they added some code to my .htaccess file to prevent access to wp-login.php. In their email, they said,

To help keep these attackers out and to reduce the site's usage we blocked all access to the "wp-login.php" script through this code we added to your site's ".htaccess" file:

To allow yourself access to WordPress you can change that ".htaccess" rule to the following:

This is all well and good if I were the only user on my site. But I run a multisite instance of WordPress and have hundreds of users accessing protected content. They need to be able to use wp-login to access their materials. So here's a better way of securing WordPress against brute force attack-bots by denying access to no referrer requests by modifying your site's .htaccess file. This fix works against attack-bots only which are from where the majority of brute force attacks originate. This fix will not work against someone who accesses the pages from their browser and deliberately tries to hack your site.

When your readers leave a comment or login to your site, the wp-comments-post.php or wp-login.php file is accessed. These files do their thing, create the post or log a user into the system. When this happens, the user's browser sends a "referral" line about this. The referral line references your website and the files that were accessed.

When a spam-bot arrives, it hits these files directly and doesn't usually leave a referrer. As a result, you can direct the Apache server to detect this no referrer condition and reroute the spam-bot into cyberspace. By adding the code below to your .htacess file, you will accomplish four things:

  1. Detect when a POST is being made
  2. Check to see if the post is on wp-comments-post.php or wp-login.php
  3. Check if the referrer is in your domain or if no referrer
  4. Send the spam-bot BACK to its originating server's IP address.

The above code is for a single site installation. Change example.com to the name of your domain. If you run a multisite installation with mapped domains as I do, then you would use the following code:

  • 2shares
  • Facebook0
  • Twitter0
  • Pinterest0
  • LinkedIn2
  • Print
  • SMS0

About Victor M. Font Jr.

Victor M. Font Jr. is an award winning author, entrepreneur, and Senior IT Executive. A Founding Board Member of the North Carolina Executive Roundtable, he has served on the Board of Advisors, of the North Carolina Technology Association, the International Institute of Business Analysis, Association of Information Technology Professionals, Toastmasters International, and the North Carolina Commission for Mental Health, Developmental Disabilities, and Substance Abuse Services. He is author of several books including The Ultimate Guide to the SDLC and Winning With WordPress Basics, and Cybersecurity.

Reader Interactions

VictorFont.com runs on the Genesis Framework

Genesis FrameworkThe Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Genesis provides the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Check out the incredible features and the selection of designs. It's that simple—start using Genesis now!

Click here to download The Genesis Guide for Absolute Beginners (PDF - 1.4 MB)

Leave a Reply Cancel reply

Your email address and website will not be published. Required fields are marked *
Posting a comment means that you agree with and accept our Comment & Product Review Policy

Comments

  1. Atinder

    August 10, 2015 at 10:19 am

    Well, recently Brute force Attacks has immensely increased, becoming a dangerous factor for all WordPress users, but it is a thing, which is fight-able, I mean, by using security methods, we can move brute force attacks out of the window. Although, it can be difficult for newbies, who just got started with WordPress, but he/she can learn by reading posts online and then can implement security.
    In my view, implementing only three tricks works very well, Changing Login Slug, A content Delivery network (CDN) and a Security Plugin, which bans IP address after a few Login attempts.

    Reply
  2. AZ

    August 28, 2013 at 8:38 am

    To keep bots away and still stay user friendly I use Securitron plugin for WordPress.
    http://www.b2beservices.com/files/Securitron_v1_0_1.zip

    Reply

Toll free: 844-VIC-FONT (844.842.3668)

Send us an E-mail Fax: 919.205.4446

Accessibility Statement | Affiliate Marketing Disclosure | Capability Statement

Cookie Policy | Comment & Product Review Policy | Privacy Policy | Site Map | Terms & Conditions

Copyright © 2003–2021 Victor M. Font Jr.

Return to top of page
Cover image: 5 Things You Can Fix On Your Website In The Next Week To Increase Engagement

Attract New Customers Automatically for Free!

  • Learn how to use the Internet to attract REAL clients
  • Avoid the 3 big mistakes EVERYBODY makes
  • Put this system on AUTOPILOT with the tools the Pros use!

GET YOUR COPY!

This little ebook has helped hundreds of business professionals get real results.
Now it's your turn!

ebook lead capture
Privacy Policy
{"cookieName":"wBounce","isAggressive":false,"isSitewide":true,"hesitation":"","openAnimation":false,"exitAnimation":false,"timer":"","sensitivity":"","cookieExpire":"7","cookieDomain":"","autoFire":"","isAnalyticsEnabled":false}
We only use analytical cookies on our website that allow us to recognize and count the number of visitors, but they do not identify you individually. They help us to improve the way our website works. By clicking Accept you, agree to cookies being used in accordance with our Cookie Policy.OkNoCookie policy