A Brute Force Attack is one of the most common methods to break into a WordPress site.
It tries to gain illegitimate access to a site by using different combinations of usernames and passwords.
Pickaweb has successfully prevented such forged IP address attacks in the past by blocking them on its server immediately. Whenever these types of attacks happen, we’re ready to deal with them quite strictly from our side.
However, you’re also required to take some key measures from your side to safeguard your WordPress-hosted site against the attacks.
Here’s what you should do – Protect wp-login.php file with Password.
To prevent your site from login access attacks, you need to improve the security of the wp-login.php file in your cPanel. You can get it done in two easy steps, which are as follows.
1. Create a Password File
Create a file named .wpadmin and put it in your site’s home directory so it’s not accessible to users.
(Note: ‘username’ is the cPanel username for the account.)
Now, place the username and the encrypted password in the .wpadmin file, using the following format.
(where ‘daniel’ refers to a username you can choose, and the password that you see is in encrypted form.)
You have two options at your disposal to get the password creation task done. Either generate the password file and upload the same through File Manager/FTP or do it through the SSH/Command line.
- Visit: http://www.htaccesstools.com/htpasswd-generator/
- Use the form to create username and password.
- Log into the cPanel (in a new tab).
- Click on File Manager.
- Select Home Directory.
- Check Show Hidden Files.
- Click on the Go button.
- Locate a .wpadmin file.
a) If found, right click on it and select Code Edit to open the editor. Click on the Edit button to start editing.
b) If not found, click on New File and give it the name .wpadmin (includes a dot at the front) and then click on Create New File.
- Paste the code provided from the website in step #2.
- Click on Save Changes.
- Close the file when done.
If you want to generate password through SSH/command line, you can gather detailed information about the same by visiting this URL on Apache’s official website – http://httpd.apache.org/docs/current/programs/htpasswd.html.
2. Update .htaccess
The .wpadmin file will be shareable by all domains under the home directory. Finally, you need to put the following code in the /home/username/.htaccess file. You should put your cPanel username in the place of ‘username’ in the code.
ErrorDocument 401 "Unauthorized Access" ErrorDocument 403 "Forbidden" <FilesMatch "wp-login.php"> AuthName "Authorized Only" AuthType Basic AuthUserFile /home/username/.wpadmin require valid-user
That’s it. If you need any further assistance with this, just contact our 24/7 support team via Live chat or support email and they will guide you with this.