Quick Tip: Protect Your WordPress Login Page From Brute Force Attacks

Lock Down Your Blog

If you're a WordPress blogger, chances are that you're aware of the massive brute force attempts targeting WordPress sites lately. If you're not sure what these are, basically it's when someone attempts to hack your site by guessing your username and password. But they usually do this with bots that let them automate the process, and your site can be hit hundreds (if not thousands) of times a day. And if you don't have any brute force protection on your server or your WordPress installation, you might never know until someone hacks your site.

Fortunately you can block these attempts fairly easily.

Brute Force Protection Plugins

One way to protect your site is to install a WordPress security plugin that offers brute force protection. These will generally let you decide how many login attempts a user gets before they're automatically locked out and unable to try again for a certain amount of time.

The problem with this method is that potential hackers still get to try at all. So you're still at risk. And giving them access to the login page still allows them to automatically try to login with different usernames and different IP addresses at a frequency that can slow down your site.

Protecting wp-login.php

These days I go a step farther for any site where I'm the only person who needs to log in. I limit access to the wp-login.php file (and sometimes the wp-admin folder) to my IP address. If you have a dynamic IP address that occasionally changes, you can always update this in your .htaccess file by logging into your hosting account, so temporarily losing access to the WP login page isn't a big deal.

To make your wp-login.php file accessible only via your IP address, open your .htaccess file in your site's files and add the following (replacing the Xs with your IP address, which you can discover by visiting WhatIsMyIP.com):

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$
RewriteCond %{REMOTE_ADDR} !^x\.x\.x\.x$
RewriteRule ^(.*)$ - [R=403,L]

For example, if your IP address is 123.456.789.0, you would add the following to your .htaccess file:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0$
RewriteRule ^(.*)$ - [R=403,L]

By no means is this the only way to protect your WordPress login page. But it's a quick fix and a good start if you're the only one who needs to access it. And this keeps bots from slowing things down with repeated login failures.

If you'd like to learn how to tweak this to also limit the wp-admin folder to your IP address, or if you want to allow multiple IP addresses to log into your site, InMotion Hosting as a great guide on taking this farther.

How do you protect your WordPress login page? Do you simply rely on plugins that stop attacks only after some attempts have been made? Do you change the location of your login page to make it more difficult for automated hacking attempts to find? Do you use a front-end login page with its own protection against automated brute force attacks (like a honeypot to stop bots from submitting the form in the first place)? Share your strategies, experience, or tips in the comments.

Have a request for the Tuesday Quick Tips series? Submit your quick tip request (or any reader question) using the free writing advice form.

Profile image for Jennifer Mattern

Jennifer Mattern is a professional blogger, freelance business writer, consultant, and indie author. She runs numerous websites & blogs including All Freelance Writing, Freelance Writing Pros, NakedPR, and Kiss My Biz.

Jenn has 25 years' experience as a professional writer and editor and over 20 years' experience in marketing and PR (working heavily in digital PR, online marketing, social media, SEO, new media, and thought leadership publication). She also has 19 years' professional blogging and web publishing experience (including web development) and around 18 years of experience as an indie author / publisher.

Jenn also writes fiction under multiple pen names and is an Active member of the Horror Writers Association.

Subscribe to the All Freelance Writing newsletter to get freelance writing updates from Jenn in your inbox.

Get More Content Like This in Your Inbox

Did you enjoy this post? If so, please subscribe to the All Freelance Writing newsletter where you'll be notified of new blog articles and receive subscribers-only content.

Subscribe now.

4 thoughts on “Quick Tip: Protect Your WordPress Login Page From Brute Force Attacks”

  1. I have been very happy with the Wordfence security plugin. A techie person recommended it and I have had it for a few years. They have a free version but I quickly upgraded as I didn’t feel the free version (at the time) got as much of their attention.

    • I keep hearing good things about that one Cathy. Probably from you! 😉 In my case I just hesitate to install the more comprehensive security plugins if I can do what I need without them because of compatibility issues. It’s rare that I can introduce a big plugin and not have it break something else (at least here where so many are required). But one of these days I’ll have to give it a try on a newer site and see how it works in comparison. 🙂

  2. Thanks for the tip!

    I hired a “techie” to do secure my website because I noticed people were creating posts on my site. Yikes! I’ve used WP since 2008 and never had this happen to me.

    Question for you… Who do you recommend for web hosting? I use Blue Host and upgraded to their VPS server and have had issues regarding backup. It may be time to move to a new hosting company. Thank you!

    • Oh no! I hope they were able to sort out the hack.

      I’m not at all a fan of BlueHost. They and 1&1 are awful, and I would never touch them for WordPress hosting. When I started out, I mostly used HostGator, and I was happy with them for the most part (though I did leave in large part due to a customer service issue). Now I mostly use MyHosting.com based in Toronto. I remember setup being a bit of a pain with them for a VPS, but once I got past that I haven’t had any real issues. There’s occasional downtime like there is with any host, but it’s less than other hosts I’ve used and they tend to be very responsive and quick to resolve things (and the problems are on my end as much as theirs).

      Who did you use to secure your site? I used Rack911 and loved them. But you have to remember with every plugin update, theme update, or new site installation you open the door to new vulnerabilities. So you have to keep and eye on things and periodically improve what you can. The worst attack I’ve had to deal with was a result of a plugin exploit. While I know there’s always a risk, I certainly hope I never have to deal with something to that scale again.


Leave a Comment