Last month there was a worldwide, highly-distributed attack against WordPress websites.  The attacks were a brute force attack of WordPress admin pages where they tried thousands of passwords. While none of Frogtown’s North Georgia Web Design sites were compromised, the volume of login attempts caused some our sites to run slowly.  While this type of attack is not new, the size and distribution of attacks was notable.

Two simple steps to protect your WordPress login page:

  1. Don’t use ‘admin’ as your user name.  It’s been several years since WordPress stopped using ‘admin’ as the default user name, but many web designers keep using it.
  2. Use strong passwords.  Passwords should not include dictionary words.  Use at least 8 characters and include numbers, symbols (&, $, ;, etc) and mixed capitalization. Learn more on WordPress recommended strong passwords .

Advanced Steps

Password protect your WordPress login pages by creating a password file and activating the security in your .htaccess file.  Adding this additional layer of protection will put a much, much lighter load on your website in the event of a brute force attack.

Step 1: Create the Password File

Create a file named .wpadmin and place it in your home directory, where visitors can’t access it.  The following example is for cPanel:

EXAMPLE: /home/username/.wpadmin
(where “username” is the cPanel username)

Put the username and encrypted password inside the .wpadmin file, using the format username:encryptedpassword

EXAMPLE: john:n5MfEoHOIQkKg
(where “john” is a username of your choice, and the password shown is encrypted.)

Generate Password File & Uploading Via File Manager

One way to do this is to generate the file using the website linked below, and then upload it to your site via FTP or File Manager. In the directions below, we will use File Manager, but you could use FTP instead, for those of you familiar with FTP.

  1. Visit: http://www.htaccesstools.com/htpasswd-generator/
  2. Use the form to create the username and password.
  3. Login to cPanel in another window or tab.
  4. Click on File Manager.
  5. Select Home Directory.
  6. Check Show Hidden Files (dotfiles) if not already checked.
  7. Click on the Go button.
  8. Look for a .wpadmin file.
    • If one exists, right click on it and select Code Edit to open the editor. Click on the Edit button to edit the file.
    • If one does not exist, click on New File at the top of the page, and specify the name as .wpadmin (with the dot at the front) and click on the Create New File button.
  9. Paste the code provided from the website in step 2.
  10. Click on the Save Changes button when complete.
  11. You can Close the file when finished.

Step 2: Update the .htaccess File

All domains under the home directory will share the common .wpadmin file.

The last step is to place the following code in the /home/username/.htaccess file:

ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user

While this will not stop a brute force attack, password protecting your login page will certainly limit the impact.