WordPress Brute Force Attacks: Protect Yourself Now

WordPress Brute Force Attacks: Quick Simple Solution

Protect yourself by limiting wp-login.php to your IP address

WordPress Brute Force Attack

If you are a WordPress user, this is all you need to know – the WordPress brute force attacks that occurred last week can be mitigated with one simple technique: restricting which IPs can access your wp-login.php page. That’s it. The reason last week’s WordPress brute force attacks were so effective is that rather than one single computer IP address attempting to guess your password, tens of thousands were used, which means that the attack could occur without sounding some of the traditional alarm bells.

But why risk relying on security plugins that may fail you when you can fix things yourself? And why install new software when the fix will take 2 minutes? Lastly, why rely on subpar solutions that can still cause your server to crash, due to the strain of rendering the wp-login page? How about you implement a solution that almost effortlessly rejects the unwanted advances in the most resource-effective way.

This is all that you need to do to protect yourself from a WordPress brute force attack:

  1. Identify your IP address (http://www.myipaddress.com/)
  2. Log into your server via FTP/SFTP or your hosting control panel’s file manager. HostGator’s file manager is below.
    HostGator File Manager
  3. Navigate to your .htaccess file (If it doesn’t exist, create it with a text editor)
    HostGator .htaccess
  4. Add this to the beginning (replacing the xxx.xxx.xxx.xxx with your ip):
    <files wp-login.php>
    order deny,allow
    deny from all
    allow from xxx.xxx.xxx.xxx

Verify that your wp-login page cannot be accessed from a computer other than the one you are using. To do this, try using your phone or a friend’s computer. We are not claiming that this will protect you from all of the nefarious characters on the internet. This will, however, protect you completely from a WordPress brute force attack. Thanks to James Dunn from wpmu.org for providing much of the guidance.

Background Information

Last Thursday, April 11th 2013, hundreds of thousands (at least) of website owners across the globe became victims of a sophisticated attempt to gain access to the portions of their webservers controlled by the WordPress Content Management System (CMS). WordPress is installed as a subordinate on the Linux operating system, usually below software used by shared hosting providers to provide control panels. The leading software used is cPanel and Plesk, produced by cPanel, Inc, and Parallels, Inc, respectively. Custom made hosting software is also used by hosting providers. Notable users of each type:

  • cPanel: HostGator, Namecheap, WebHostingBuzz, BlueHost, A Small Orange
  • Plesk: Hostmysite.com, Media Temple
  • Custom-made software (GoDaddy, DreamHost, Endurance International vDeck properties: FatCow, iPage, etc). 

Vulnerabilities exist at each level of software installed: server (Linux), hosting provider (cPanel), and CMS (WordPress). I want to mention each level before focusing on the CMS and WordPress brute force attacks. To address only the CMS does a disservice, since a false sense of security can be created by closing every single window in the house if the front door is left open.

Server/Operating System/Hypervisor Vulnerabilities

Protection at this level is absolutely the responsibility of the hosting provider. WordPress users have no ability to control this, and only through picking a hosting provider focused on security can vulnerabilities at the hardware, operating system, and hypervisor be addressed. This equipment and software serves to create the base layer for hosting provider software to run.

Web Hosting Control Panels: cPanel, Plesk, vDeck, Custom

Locking down the control panel may be the responsibility of the hosting provider, or if you are running a VPS or dedicated server, it’s on you. Vulnerabilities do exist at this level, and have been exploited. Thousands of sites were hacked after a Parallels Plesk exploit was utilized – http://krebsonsecurity.com/2012/07/plesk-0day-for-sale-as-thousands-of-sites-hacked. It is common knowledge that no system is impervious, and that as software increases in usage, the benefit to hacking it increases to miscreants. Software exploits, while possibly indicative of poorly written code, are more often a sign that the software has become popular enough to be a target.

Content Management Systems: WordPress, Joomla, Drupal, etc

All content management systems have vulnerabilities. WordPress brute force attacks, however, just come knocking at the front door, again and again. By simply guessing at a website owner’s username and password, the only restricting factor is the speed the website owner’s computer can respond “Yes” or “No” and the speed at which the attacker can make requests.


  1. Definitely believe that which you said. Your favorite justification appeared to be on the web the
    simplest thing to have in mind of. I say to you, I
    definitely get annoyed whilst other people consider
    worries that they plainly do not know about. You controlled to hit the nail upon the top and
    defined out the whole thing with no need side effect , folks can take a
    signal. Will probably be back to get more. Thanks

  2. My brother recommended I may like this blog. He was entirely right.
    This put up truly made my day. You can not imagine just how so
    much time I had spent for this info! Thanks!

  3. Greetings from Los angeles! I’m bored at work so I decided to check out
    your website on my iphone during lunch break. I enjoy the knowledge you present here and can’t wait to take a look when I get home.
    I’m amazed at how quick your blog loaded on my cell
    phone .. I’m not even using WIFI, just 3G ..
    Anyways, great site!

Leave a comment

Your email address will not be published. Required fields are marked *