Protect WordPress Login with .htaccess

Protect WordPress Login from Brute Force Attacks with .htaccess

Here’s an easy way to protect your WordPress site from hackers and brute force attacks by adding server-side protection to your wp-login.php page in the form of an .htaccess login.

As WordPress has become more popular, it’s also become a bigger target for hackers. In the last few years, there have been several automated attacks on WordPress sites where malicious visitors try to break into WordPress sites by running dictionary attacks against WordPress login pages.

By making a few quick additions to your site, we can thwart several of these automated attacks, while preserving resources on the server for legitimate site visitors.

What are Dictionary Attacks?

A dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary . . . a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phrase dictionary attack). http://en.wikipedia.org/wiki/Dictionary_attack

What does this mean? Well, the hacker uses a program or script to automatically try to login to your site using a username that they either know, or guess, along with a password generated from a list.  When they fail to login, the script tries again with the next password on the list.

Can’t the Server Block Dictionary Attacks?

On IvyCat servers, we have Brute Force Protection that watches for behavior like this and blocks these malicious visitors by IP address.  But, alas, these folks aren’t dumb and, when they’re blocked, often change their IP address and continue the attack from a different location.

I’m using Strong Passwords, so I’m safe, right?

Privacy & Security

If you’re using good, strong passwords, this is often more of an annoyance than anything, but one side-effect of these attacks is increased load on the server.

Your site and the server it’s hosted on have to work every time someone tries to login and, if your site is the subject of an automated attack where they’re trying to login multiple times a minute, or even a second, it can cause the server to work extra hard just to handle the enormous amount of login requests.

So, we will use .htaccess to evaluate login attempts in a way that doesn’t cause so much server load.

How WordPress Login Requests Work

Technically, when a request comes in for any page on your WordPress site, the request comes to the web server and the web server passes the request through to WordPress for handling.  This happens for any page, including your WordPress login.

When a visitor is trying to login to your WordPress site, here’s what happens:

  1. The request for your WordPress login comes to the server, either using yoursite.com/wp-login.php or yoursite.com/wp-admin/
  2. The server sees this request and passes it through to WordPress, which loads your site’s login page, yoursite.com/wp-login.php
  3. The visitor enters a username and password and clicks Login.
  4. WordPress has to parse the entered login to see if it’s legitimate.
  5. If the credentials are good, the visitor is taken to their WordPress Admin, but if they’re bad, WordPress has to load a page to return an error to the visitor.

While the above steps aren’t super-taxing on a server by themselves, imagine if you have 100 people trying to login to your site at once, or even a login attempt every second – the server can get overwhelmed and spend a bunch of time and energy fielding bogus login requests when it could be using resources to serve up websites.

So, we’re going to stop visitors using a server-generated login before they get to the WordPress to make sure they’re legit.  If they can’t pass the server’s login page, they’ll never get to the WordPress login page, making it easier on the server since WordPress isn’t required to load to evaluate passwords.

Protect wp-login.php and wp-admin with .htaccess

So, we’ve put together a simple set of instructions to allow you to protect your WordPress login using .htaccess.

There are three basic steps:

  1. Create a hidden password file.
  2. Generate a login and password and add it to the hidden password file.
  3. Modify your site’s .htaccess file to require your hidden password when logging into WordPress.

Step 1 – Create a hidden password file

In the root of your site, create a file called .wp-admin, which will create your new, hidden credentials.  The file can be named something else too, but we recommend that you put a period at the beginning of the filename, so that it’s hidden by default.

Step 2 – Generate a login and password and add it to the hidden password file

  1. Go to http://www.htaccesstools.com/htpasswd-generator/
  2. Enter a username and password that you’ll use to protect the WordPress login.
  3. Click Create .htpasswd file to encrypt your password.
  4. .htaccesstools.com will return a string of text that looks something like this: jimdandy:$apr1$vqg/kV..$Yn3w9aipE2ObdjSpaWnDf0
  5. Open the .wp-admin file that you created in Step 1 above and paste in the .htpasswd entry you just created.

Step 3 – Modify your site’s .htaccess file

By now, you’ve generated a login and password that you’ll use to protect your WordPress login, but the last step is to make sure that the web server, Apache, knows that it needs to require this login every time someone tries to login to your WordPress site.

  1. Using File Manager or FTP, login to your hosting account and open the .htaccess file at the root of your site and paste in the following code:
    ErrorDocument 401 "Unauthorized Access" 
    ErrorDocument 403 "Forbidden" 
    <FilesMatch "wp-login.php"> 
    AuthName "Authorized Only" 
    AuthType Basic 
    AuthUserFile /home/username/.wp-admin require valid-user
    <FilesMatch>
    
  2. Save your changes.
  3. Open a browser and go to your site’s login page (ex. http://yoursite.com/wp-login.php).

You should now see a pop-up generated by the server that asks for your username and password.  Once you enter the username and password that you just created and submit, you’ll be taken to the WordPress login screen and can proceed like normal.

Video Overview

4 responses to “Protect WordPress Login from Brute Force Attacks with .htaccess”

  1. Pierre Avatar
    Pierre

    When I look at your video on Youtube and compare the code with the one you’ve put here it doesn’t look the same.
    I’m referring to this part:

  2. Eric Amundson Avatar

    Pierre,

    Your comment didn’t show the part to which you’re referrring. Can you paste it in again?

    Most of the stuff should be similar, but I do periodically change the name of the hidden file I’m creating to house the credentials. In some sites, I use .wp-admin, but others I name it differently.

    As long as your file is named and pointed to correctly in your .htaccess file, you should be fine.

    1. Pierre Avatar
      Pierre

      Hi Eric,
      The code was probably removed by a comment filter.
      This is the part that I’m referring to:
      filesmatch “wp-login.php”=””
      Is different compared to the same line in the movie (around 2:13s)
      Also, does caps matters? I see you are using them in the video but not in this post.
      Thanks, Pierre

      1. Eric Amundson Avatar

        Hey Pierre,

        Thank you for pointing this discrepancy out. The text in the video is correct and I’ve updated this post to correct the syntax error.

        Cheers!