How to harden your wordpress by block brute force attempts on your wp-login.php

Mar 4th, 2015 | By | Category: Random Musings

So having hte login page exposed publically is nutso to me and because I run Wordfence(and gladly pay for it which everyone should), I get to see how many brute force attempts are happening because it is constantly banning IP’s for requesting forgotten passwords for accounts that don’t exist.

Well today I got tired of receiving those notifications so I just setup a simple .htaccess/.htpasswd wall infront of my admin login by adding this to my .htaccess file:

<FilesMatch "wp-login.php">
    AuthName "WordPress Admin"
    AuthType Basic
    AuthUserFile /path/to/.htpasswd
    require valid-user

Go to /path/to and type htpasswd -c ./.htpasswd username 
enter the password and viola, no one's getting through.  Let them try brute forcing that forever. It has the benefit of not loading any server assets or giving them any access to wordpress.

Leave a Comment