There was a problem loading the comments.

2013 Wordpress Brute Force Attacks - Use .htaccess to secure wp-admin

Support Portal  »  Knowledgebase  »  Viewing Article


Portions of this KB article were written by Jacob Nicholson of
8Dweb is simply placing Jacob's information here for the security of ALL HOSTING COMPANIES and CLIENTS. We make no warranty or provision
for this information and want to thank Jacob and InMotion Hosting for this information.

8Dweb has modified this article to provide the basics.


  1. If you suspect your site has been hacked - contact 8Dweb support IMMEDIATELY. There may be a small fee for our security services, but we will help you get your site back online as quickly as possible. Our first concern is your site security.
  3. PLEASE update your Wordpress Installation, Themes and Plugins to the Latest event IMMEDIATELY (8Dweb can do this if you purchase our WordPress Security Package)
  4. PLEASE remember that YOU are responsible to keep backups of your site and database. 8Dweb can help. You can use SiteWorx Control Panel to do a "partial backup" of web, mail, database or any combination - be SURE to download this. You can also hire us to setup our WordPress Security Package - we will scan and secure your site, install various plugins to secure and automatically backup your entire site on a daily basis. We will also install your WordPress site into our WP management system so that we can monitor it for updates and hack attempts

In this article I'm going to talk about how to lock down your WordPress admin login with some .htaccess rules to prevent unauthorized login attempts.

Limit WordPress admin login attempts

If your access has been restricted to your WordPress website, you can update your .htaccess file, to check for a valid referer, or to limit access to only your IP address.

Now follow the steps below to either limit login attempts to a proper referer, or IP address you've specified:

  1. Now depending on how many unique IP addresses you're connecting to your WordPress site from, you would want to employ some different .htaccessrules.

    We recommend using the referer method first, as we've been getting some reports that for some users, the IP address methods are still not allowing them access.

    Also please note that you will want to paste these .htaccess rules at the very top of your file above other rules for them to function properly.

    Dynamic IP address access, limit by referer (8Dweb - you must use a dynamic dns system for this method, but it IS effective - contact our support team for details)

    If your IP address changes, or you have a very large amount of possible IPs you're connecting from, you can protect your WordPress site by only allowing login requests coming directly from your domain name. Simply replace example\.com with your own domain name

    Currently the brute force attack that is taking place relies on sending direct POST requests right to your wp-login.php script. So requring that a POST request can only come from your domain name, ensures a normal human login attempt instead of an automated bot doing it.

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com[NC]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteRule ^(.*)$ - [F]

    Single IP address access

    To allow access from a single IP address, replace 123\.123\.123\.123 with your own IP address:

    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteRule ^(.*)$ - [R=403,L]

    Multiple IP address access

    To allow access from multiple IP addresses, replace 123\.123\.123\.xxx with your own IP addresses:

    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteRule ^(.*)$ - [R=403,L]

    Then click on Save at the top-right of the editor.

  2. Wait at least 15-20 minutes, and then try to login to your WordPress site again. Unfortunately even if you simply try to access the WordPress admin dashboard, still within the 15 minute window of a block, this could extend the block an additional 15 minutes, so it's important to wait for the previous block to expire before attempting to access your WordPress site again.

Share via

Related Articles

© 8Dweb LLC