WordPress Login - Brute Force Attack

Recently, there was a worldwide, highly distributed WordPress attack. This attack was known for using forged or spoofed IP addresses. During the attack, we actively blocked the most common attacking IP addresses across our server farm. If this type of attack happens again, we will again take appropriate measures.

Measures You Can Take to Prevent Similar Attacks

The following steps can be used to secure (by password protection) wp-login.php for all WordPress sites in your cPanel account. This will help deter this type of attack.

How to Password Protect the wp-login.php File

There are two (2) steps in accomplishing this:

  1. First, you need to define a password in the .wpadmin file.
  2. Activate the security in the .htaccess file.

Step 1: Create the Password File

Create a file named .wpadmin and place it in your home directory, where visitors can't access it. (Please note there is a period preceding the wpadmin in that file name.) The following example is for cPanel. Plesk would require placing the file in /var/www/vhosts or /var/www/vhosts/domain.

EXAMPLE: /home/username/.wpadmin
(where "username" is the cPanel username for the account.)

Put the username and encrypted password inside the .wpadmin file, using the format username:encryptedpassword

(where "john" is a username of your choice, and the password shown is encrypted.)

Option A: Generate Password File & Uploading Via File Manager

One way to do this is to generate the file using the website linked below and then upload it to your site via FTP or File Manager. We will use File Manager in the directions below, but you could use FTP instead for those of you familiar with FTP.

  1. Visit: http://www.htaccesstools.com/htpasswd-generator/
  2. Use the form to create the username and password.
  3. Log in to cPanel in another window or tab.
  4. Navigate to the Files section, then click on the File Manager icon.


  5. Go to the public_htlml folder.

  6. Look for a .wpadmin file.

    Paste the code provided from the website in step 2.

    • If one exists, right-click on it and select Code Edit to open the editor. Click on the Edit button to edit the file.
    • If one does not exist, click on New File at the top of the page, specify the name as .wpadmin (with the dot at the front) and click on the Create New File button.

  7. Click on the Save Changes button when complete.
  8. You can Close the file when finished.

Option B: Creating the Password File via SSH / Command Line

To create the encrypted password, you will need to use a utility such as the command-line program htpasswd. More detailed technical information about htpasswd can be found at http://httpd.apache.org/docs/current/programs/htpasswd.html.

An example would be to do this:

htpasswd -c /home/username/.wpadmin john

You would then be prompted to enter the password you wish to use for the username "john" to access the wp-login page. You can then log into the wp-admin interface as you normally would. Many other online tools can be used to convert standard passwords to encrypted for this purpose.

Step 2: Update the .htaccess File

All domains under the home directory will share the common .wpadmin file. (The command listed in Option B above creates the /home/username/.wpadmin file due to the -c.)

The last step is to place the following code in the /home/username/.htaccess file:

ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user

Note: replace "username" above with your cPanel username.

  • wordpress, wordpress security, brute force attach
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How to configure your domain email on Gmail app ?

Log in to cPanel using your username and your cPanel password at http://yourdomain.com/cpanel,...

How to Connect to the MYSQL Database Remotely?

Allowing remote MYSQL connections is often done to enable a program on your personal computer to...

How to disable mod security using htaccess file?

Mod_security is an apache module that helps to protect your website from various attacks.It is...

Prevent Brute Force Attacks in WordPress

A brute force attack is a trial-and-error method in which the hackers aim to gain access to a...

How to fix failed to retrieve directory listing error in FileZilla FTP?

When using FileZilla to connect to your FTP if you encounter an error like this: Status:...