by Musa Khalid Danjuma

WP Brute-force Protection.

In April 2013 a series of brute force attacks were channeled towards WordPress sites across the globe. This raised an alarm to web hosting companies around the world. We then put up a suggestion on how to protect your site site. Today, more brute force attacks are carried out again by hackers using over 90,000 compromised servers (botnets).

First, Let me explain what is Brute-force?

Brute-force is a form of automated continuous trial by hackers to gain access to a secured section of your site. They use multiple combinations to guess your password. This can often press load which will slow down your website or in some cases even get your site hacked.

WordPress brute-force attacks are challenged towards the /wp-login.php (login page). If successful they will hijack your website.

If you are using any of our shared hosting plan, virtual servers or dedicated server; you can implement the following security measure to protect your site from brute-force logins.

Go to your cPanel account and navigate to File Manager, select the show hidden files/folder in the popup, then go to the directory where your WordPress site is installed (if it is on the main site, that will be /public_html or /public_html/wp if you are using a sub-folder)

Step 1: Create a “.htpasswd” file in the main WordPress folder (not the full-stop before htpasswd)

Step 2: Create a password of choice and encrypt it in an MD5 format together with a username, in the format below:


You can use this service here to generate the username and encrypted password in the required format. Make sure you remember of store the password in a safe place.

Step 3: Right click on the .htpasswd file in the main WordPress folder and click Code Edit (to open the file in a web based code-editor). Then paste the generated key in Step 2 above (eg, username:BY$8IpfCRILmgj7sjHipsKMm0) and click the save button at the top right corner of the editor.

Step 4: Go back to the main WordPress folder, and edit .htaccess file by right clicking on it and hit Code Editor again just like you did above for .htpasswd. If there is no .htaccess file in there already, you can create it like you did for .htpasswd in Step 1 above.

Step 5: Carefully add the following code in the .htaccess file with caution; DO NOT alter any other existing code in the file to avoid any errors on your site. Advisably, add it at the bottom of the file.

ErrorDocument 401 ”Unauthorized Access”
ErrorDocument 403 ”Forbidden”
<FilesMatch ”wp-login.php”>
AuthName ”Authorized Only”
AuthType Basic
AuthUserFile /home/{username}/.htpasswd
require valid-user

NOTE: You need to also change {username} in the above code with your cPanel username. eg. “/home/gilgahost/.htpasswd”

Hit the save changes button and you’re done. This will protect your site from unauthorized access to the wp-login.php file. You may comment below if you have any challenge or wish to give us additional suggestion.

Musa Khalid Danjuma.

Monday, April 11, 2016

« Back