Lock Down Your Blog

If you're a WordPress blogger, chances are that you're aware of the massive brute force attempts targeting WordPress sites lately. If you're not sure what these are, basically it's when someone attempts to hack your site by guessing your username and password. But they usually do this with bots that let them automate the process, and your site can be hit hundreds (if not thousands) of times a day. And if you don't have any brute force protection on your server or your WordPress installation, you might never know until someone hacks your site.

Fortunately you can block these attempts fairly easily.

Brute Force Protection Plugins

One way to protect your site is to install a WordPress security plugin that offers brute force protection. These will generally let you decide how many login attempts a user gets before they're automatically locked out and unable to try again for a certain amount of time.

The problem with this method is that potential hackers still get to try at all. So you're still at risk. And giving them access to the login page still allows them to automatically try to login with different usernames and different IP addresses at a frequency that can slow down your site.

Protecting wp-login.php

These days I go a step farther for any site where I'm the only person who needs to log in. I limit access to the wp-login.php file (and sometimes the wp-admin folder) to my IP address. If you have a dynamic IP address that occasionally changes, you can always update this in your .htaccess file by logging into your hosting account, so temporarily losing access to the WP login page isn't a big deal.

To make your wp-login.php file accessible only via your IP address, open your .htaccess file in your site's files and add the following (replacing the Xs with your IP address, which you can discover by visiting WhatIsMyIP.com):

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$
RewriteCond %{REMOTE_ADDR} !^x\.x\.x\.x$
RewriteRule ^(.*)$ - [R=403,L]

For example, if your IP address is 123.456.789.0, you would add the following to your .htaccess file:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0$
RewriteRule ^(.*)$ - [R=403,L]

By no means is this the only way to protect your WordPress login page. But it's a quick fix and a good start if you're the only one who needs to access it. And this keeps bots from slowing things down with repeated login failures.

If you'd like to learn how to tweak this to also limit the wp-admin folder to your IP address, or if you want to allow multiple IP addresses to log into your site, InMotion Hosting as a great guide on taking this farther.

How do you protect your WordPress login page? Do you simply rely on plugins that stop attacks only after some attempts have been made? Do you change the location of your login page to make it more difficult for automated hacking attempts to find? Do you use a front-end login page with its own protection against automated brute force attacks (like a honeypot to stop bots from submitting the form in the first place)? Share your strategies, experience, or tips in the comments.

Have a request for the Tuesday Quick Tips series? Submit your quick tip request (or any reader question) using the free writing advice form.