Protect Your Login Page

One of the most common methods for hackers to gain access to your site is through brute force username & password guesses. There are a few options that can be used or combined to reduce the risk of having your password stolen.

Block Access to wp-login.php

The best way to protect your WordPress login page from brute force attacks is to block unauthorized users from even getting to the page in the first place. This will require some editing of your .htaccess file if you’re using Apache and your config file if using Nginx. Most hosts will allow this and if yours doesn’t, it may be worth considering a change.

The first and most secure method we will address is to limit access to your wp-admin directory by IP address. This method should only be used if you know what IP addresses you will be accessing the site from and those addresses won’t change on a regular basis. Typically this isn’t a problem, but it is one to keep in mind since you will block yourself from access if you’re not careful. Use the code below as an example for blocking access based on IP. The code also includes a section that unblocks certain files that may be needed by some of your plugins. If you’re using an Apache server, put this code in a .htaccess file within your wp-admin directory.

# Block access to wp-admin - replace x.x.x.x and y.y.y.y with your IP addresses.
order deny,allow
allow from x.x.x.x 
allow from y.y.y.y
deny from all

# Allow access to wp-admin/admin-ajax.php
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

If you’re on Nginx, use the following code and replace x.x.x.x and y.y.y.y with your own IP addresses:

error_page  403  http://example.com/forbidden.html;
location /wp-admin {
  deny    192.168.1.1;
  allow   x.x.x.x;
  allow   y.y.y.y;
  deny    all;
}
location /wp-admin/admin-ajax.php {
    allow all;
}

Another method that will block access without the concern of being blocked if your IP changes would be to password protect your login page at the server level. This results in one more level of logging in, but is only a very minor inconvenience. You will want to start with generating a .htpasswd file and uploading it to your server; preferably not in a publicly accessible directory. Once you’ve generated that file and uploaded it to your server, and you’re using Apache, go ahead and add the following code to the .htaccess file in your wp-admin directory (or create the file if it doesn’t already exist). Make sure to update the path in the AuthUserFile line to match the location of the .htpasswd file you created.

# Protect wp-login
<Files wp-login.php>
AuthUserFile /path/to/your/.htpasswd
AuthName "Login Required"
AuthType Basic
require valid-user
</Files>

If you’re using Nginx, you can use the following code in your configuration:

location /wp-login.php {
    auth_basic "Administrator Login";
    auth_basic_user_file .htpasswd;
}

If your host allows, you can pair this basic authentication method with fail2ban for Apache or Nginx and create rules where an abusive IP address gets added to your server’s firewall rules and is blocked for a specified period of time.