How to Prevent WordPress Login – Brute Force Attack!

Three month ago there was a string of exploits against known vulnerabilities in Joomla Installation. These vulnerabilities related to a component called JCE,  and obvious the exploit was was attended by releasing updates. Each user of this component were supposed to update their scripts to fix the bug. Since then bad people used this loop to install malware to those who did not apply the fix and on this August  they activated it massively to allow the uploading and execution of mailing scripts which resulted to virtually every webhost in the world became blacklisted on multiple networks.  This resulted in a global inability for email to be received when those emails emails originated from one of the blacklisted IPs and was “received” on one of the blacklisting networks. I was Victim of this situation too!

The above scenario posted me back to last year when there was  massive attach to WordPress Blogs and Websites with Prevent WordPress Login – Brute Force Attack. This attack was known for using fake or spoofed IP addresses and thats why today I am writing to you  this preventive measure to avoid any similar attack that might happen. “Remember prevention is BETTER THAN CURE!”

So, lets see  How to Password Protect the wp-login.php File, this method will help deter this type of attack and other similar brute force attack.

How to Password Protect the wp-login.php File

There are two steps in accomplishing this. First you need to define a password in the .wpadmin file, and then you activate the security in the .htaccess file. If you have more than one domain hosted under the home directory they will share the common .wpadmin file.

First Create the Password File and name it .wpadmin.

Create this file in a directory where web users do not have access;

For Example:  /home/myusername/.wpadmin
(where “myusername” is the cPanel username for the account you want to protect.)

Then put the username and encrypted password inside the .wpadmin file, using the format myusername:encryptedpassword

For Example: jambo:fEotkSc9Q4buaa7

(where “jambo” is a username of your choice, and the password shown is encrypted.)

You can generate password file & upload it via file manager of your Cpanel orant FTP software, else if you are Linux user you  can Create the Password File via SSH / Command Line.

Option One: Using Cpanel

There are many online tools to generate password files but my choice is htaccesstools.com. So we shall create the file and and then upload it via File Manager. You can also use any other FTP software of your choice.

Visit: http://www.htaccesstools.com/htpasswd-generator/
Use the form to create the username and password.

  1. Login to your cPanel.
  2. Click on File Manager.
  3. Select Home Directory.
  4. Check Show Hidden Files (dotfiles) if not checked.
  5. Click on the Go button.
  6. Look for a .wpadmin file.
  7. If it exists, right click on it and select Code Edit to open the editor. Click on the Edit button to edit the file.
  8. If it does not exist lets create it, click on New File at the top of the page, and specify the name as .wpadmin (with the dot at the front) and click on the Create New File button.
  9. Paste the code provided from the website you visited above.
  10. Click on the Save Changes button when complete.
  11. Then Close the file when finished.

Option Two: Using SSH.

This option will need to use utilities like command-line program htpasswd.

Some technical information about htpasswd can be found here: http://httpd.apache.org/docs/current/programs/htpasswd.html.

If you are into this option you probably know what you are supposed to do, in case you wanted an example is given below:

htpasswd -c /home/myusername/.wpadmin jambo

You will  be prompted to enter the password you wish to use for the username “jambo” in order to access the wp-login page. You can then log into the wp-admin interface as you normally would. There are many other online tools that can be used to convert standard passwords to encrypted for this purpose.

Now we have created the file, lets update the .htaccess file.

The last step is to place the following code in the /home/username/.htaccess file:

ErrorDocument 401 “Unauthorized Access”
ErrorDocument 403 “Forbidden”
<FilesMatch “wp-login.php”>
AuthName “Authorized Only”
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user
</FilesMatch>

This is Only one method of securing your WordPress site, like our Facebook page to keep an eye on upcoming articles with more ways to secure WordPress site.

Comments

comments