Since mid April a very large brute force attack has been taking place against WordPress sites.

The brute force attacks have been conducted by a large botnet consisting of thousands of unique IP addresses across the world, trying to steal WordPress admin credentials.

This attack is not just isolated to Web Hosting Hub, and seems to be happening on a global scale across multiple web hosts.

What we're doing

At Web Hosting Hub we used fleet wide security rules to protect the WordPress admin dashboard and the wp-login.php script from being compromised.

You might have been also blocked by these same security measures and redirected to this article, and if so you can use the steps below to regain access to WordPress.

Also make sure you're using a strong WordPress admin username and password.

Regain access to your WordPress website

If you are blocked by our security rules, you can edit your .htaccess file to block WordPress admin access to everyone but yourself form being able to log in.

Our security rules block login attempts for 15 minutes after a failed login attempt, so after you put these .htaccess rules in place, wait 15 minutes, then try to login again.

If you already know how to edit files on the server with FTP access, you can edit your .htaccess file to block these brute force WordPress admin login attempts.

You could also use the directions below in order to edit the .htaccess file in cPanel:

  1. Login to cPanel.
  2. Under the Files section, click on the File Manager icon.
  3. From the Document Root for: drop-down, select your WordPress site.
  4. Make sure that Show Hidden Files is checked.
  5. Click Go
  6. Right-click on your .htaccess file, then click on Edit.
  7. You may have a dialog pop-up from the text editor, go ahead and click Edit.

Now you just need to decide which way you'd like to limit access to your WordPress admin:

Note! Place any of this code at the very top of your .htaccess file.

WordPress admin access via secondary password

The first recommended solution would be setting up a secondary .htaccess password.

First setup a password protected directory on your wp-admin directory.

Now you can copy the text from your /wp-admin/.htaccess file created by cPanel.

Also add the ErrorDocument and <Files admin-ajax.php> lines to the top of the file before closing it.

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>


AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user

Edit the .htaccess file at the root of your WordPress site, the same level as wp-login.php

Simply add the text from your /wp-admin/.htaccess file surrounded by FilesMatch tags.

Also be sure to place ErrorDocument tags for 401 and 403 at the top to prevent loops.

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</FilesMatch>

Now when you try to access either the /wp-admin directory, or the wp-login.php file directly. You'll get a separate web-browser password prompt, and bots won't attack this as they are looking for a valid WordPress admin dashboard login box.

WordPress admin access via restricted IP

The 2nd recommended solution would be restricted IP address .htaccess protection.

Use the following code, replace the 123\.123\.123\.123 IP address with your IP:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.124$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Now anyone trying to access your WordPress admin dashboard that is not an allowed IP address, will be blocked from even seeing your WordPress login page.

WordPress admin access via required referrer

This is the least recommended soultion, as a referrer can easily be faked or obtained.

Use the following code, replace the example\.com domain with your website:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} ^http://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} (.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} (.*)?wp-admin$
RewriteRule (.*)$ - [F]
</IfModule>

Now when POST requests are sent to your /wp-admin directory or wp-login.php file, the user must come from your website so that their referrer string matches your domain name.

Temporarily disable ModSecurity on your account

If you really need access right away, you also do have the option to follow the steps above with your .htaccess file, then you can disable mod_security via cPanel Modsec Manager. We would recommend after you're able to log back into WordPress to re-eanble mod_security so that other possible threats are still being blocked.

Use secure WordPress admin username and password

We also HIGHLY recommend making your WordPress admin password very secure.

Minimum password recommendations:
- At least 8 characters total
- Mixture of upper and lower-case letters
- Numbers and special characters, such as punctuation or other non-alphanumeric characters

Example weak password:
password123

Improved strong password:
Z$xusptZ2M4!Z

You can read our guide on using a strong WordPress admin password for step-by-step instructions on generating and applying a strong password for your WordPress site.

We would also strongly recommend that you use a different WordPress admin username for even further increased security.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve our Help Center:
Email Address
Optional, but our team may contact you for more information.
Did you find this article helpful?

Comments

2013-07-05 10:42 am
Seems like this block is happening to my site on a more regular basis. I have followed your directives and changed my password almost every time. But what I don't get is that changing my password (or username for that matter) is a way to prevent them from getting access to my site, right? However, that doesn't do anything to stop the admin from being blocked every time they attack the site. Frankly, I have not seen this happening with other WP sites I have on other servers and I'm wondering if HUB is being targeted more. In any case, I realize the block lasts only temporarily and can be bypassed but I am curious if anything else can be done. I do appreciate your safety measures. Thanks.
2,247 Points
2013-07-05 2:47 pm
JacobN
Staff
Hello yogijbrown, and thanks for your question.

Sorry to hear that you're having issues accessing your WordPress website. I took a look at your account and I do not see where you've added the .htaccess rules mentioned in the above article to limit access to your own IP address for the WordPress admin section.

This will help ensure that bots don't trigger the automated lock-down, which could in-turn also block yourself out. The level of attack on WordPress sites has subsided a lot from when these attacks first originated back in the middle of April, and Web Hosting Hub doesn't seem to targeted anymore than other hosting companies. Unfortunately one of your sites is probably just in a spammer's list and they continually are trying to come back and test for weaknesses.

Restricting WordPress admin access to a single IP address, might get them to remove you from their lists of sites to try, as they should see they get 403 Access Denied responses instead of a standard reply they'd be expecting.

Please let us know if you have any further issues!

- Jacob



2013-07-26 7:17 pm
Thank you for your safety script! It has been stopping a great many attacks.

However, this also means I'm locked out of my site frequently. I've pasted the above code into my htaccess file with my ip address and am still getting almost-daily attacks where I'm then locked out of my Wordpress dashboard. The code is supposed to allow logins from my ip address only, right? Why am I still getting locked out?
9,313 Points
2013-07-29 2:38 pm
arnelc
Staff
Hello BarbaraAllan,

Apologies for the problem and also for what appears to be a delay in the answer to your comment. Oddly, I had worked on your problem last Friday and implemented a solution, but for some reason my reply was not saved (probably user error on my end- so again, my apologies). The main issue with the code in Step 8 of the Wordpress wp-login.php brute force attack article.

I found that the problem you were having was specifically with this line in your code:

RewriteCond %{REMOTE_ADDR} !^68.2.216.203$

You needed to have the line look like this:

RewriteCond %{REMOTE_ADDR} !^68\.2\.216\.203$

The '\' s are required for the IP address specfication. Make sure to wait at least 30 minutes so that any existing blocks expire before you try to access the WordPress Admin page.

I hope this helps to answer your question and resolve the login issues! Please let us know if you require any further assistance.

Regards,
Arnel C.
2013-08-09 10:34 pm
I greatly appreciate the extra security measures that are being enacted by WebHosting Hub, as I moved here from Dreamhost, where it seemed as if they had given the master key to Chinese hackers.

At the same time, it is annoying, and sometimes terribly inconvenient, to be unable to access my own WordPress-based sites, which are mostly web directories.

I am taking all of the security measures that I know of myself. I update software regularly. My password is, I believe a secure one. I require the use of a CAPTCHA, and I use multiple security plugins.

I have added my IP number to my .htaccess file but, as I use my Verizon hotspot as an ISP, my number changes frequently.

I don't want to sacrifice security, but I am hoping that there is some way that we could arrive at a point where hackers are unable to access my site, but I am.
2,247 Points
2013-08-12 2:28 pm
JacobN
Staff
Hello Ken, and thanks for the comment.

One thing I might recommend in your case, is instead of locking down access to your WordPress admin section via limiting certain IP addresses access. Instead you could setup a .htaccess password on the /wp-admin directory, and also copy those rules over to protect your wp-login.php file as well.

In order to do this, these would be the basic steps:


  1. Login to cPanel

  2. From the Security section, click on Password Protected Directories

  3. Navigate to the /wp-admin directory you're trying to protect

  4. Setup password protection, including adding a user



At this point, anyone trying to access your WordPress admin section, must first enter in the correct password for the directory protection, before they're given the opportunity to login to the actual WordPress admin dashboard.

Now to prevent direct login attempts sent to the wp-login.php script, you'd also want to carry over your .htaccess password protection to that file, but note you would also need to then give out your .htaccess password to any website visitors that have WordPress users setup for your site and need the ability to log in. Here are the steps to do that:


  1. Open your /wp-admin/.htaccess file

  2. Look for this section of code, and copy it:


    AuthType Basic

    AuthName "Secure Area"

    AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"

    require valid-user


  3. Then you need to place that code in the root directory of your WordPress installation surrounded by <FilesMatch> tags, in the .htaccess file there. In this example it would be at /home/example/public_html/.htaccess and look like this:


    <FilesMatch "wp-login.php">
    AuthType Basic

    AuthName "Secure Area"

    AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"

    require valid-user

    </FilesMatch>




Hopefully this method would work better in your case for you. Please let us know if you had any further questions at all, or had any issues setting up the password protection this way.

- Jacob
2013-09-03 9:28 pm
I have a follow up question to the article, which left something unclear to me.
The passage: "If you have either a dynamic IP address, or you access WordPress from multiple devices, each IP address that you access WordPress with would also need to be allowed in your .htaccess file", I suppose most of use dynamic IP addresses from our internet service provider. So how wide is the range of IP addresses we might have over a month. I suspect too many to use the REMOTE_ADDR option. Please confirm I should simply skip that tactic and move on to the .htaccess password.
For me at least, the original instructions need some clarity in this regard.
2013-09-03 10:05 pm
And now....
a further follow up question.

When securing the directory, the form asks the user to name the protected directory. Since said user just clicked on a the intended directory (which brought up the form) and the directory and its full path is listed above: "set permissions for....", which directory was so obvious that I got confused and supposed that your interface wanted some sort of alias for the intended directory as a further layer of protection. Therefore, please! amend your directions above to state: 3-b. Re-enter the name of the directory you just clicked (in other words, I find the text box there entirely superfluous!).

Now, when adding the "<FilesMatch "wp-login.php">" information, does that go before or after the: "# BEGIN WordPress" // # END WordPress" section? This seems to me to be a very critical point to be clear on.
Thanks,

9,313 Points
2013-09-04 1:08 pm
arnelc
Staff

Hello Datamason,

Thanks for the questions. I will try to clarify the issues that you have expressed.



"...how wide is the range of IP addresses we might have over a month?"



That entirely depends upon how often your IP address changes when you access the WordPress site. Typically internet providers do not vary your IP address. So, if you're accessing it from your home or office wireless, the outbound IP will most likely stay the same. If you access the site from a variety of locations, then the number of IPs used to access the site will depend on the number of these locations.



If you're using a mobile wireless solution, then the IP will more likely be consistent. IF you are using an anonymous connection where the IP address is repeatedly changed, then this solution (locking down the login by IP address) would not be suitable for you.



Concerning the Protected directories


The instructions are typical for this are correct, though maybe some distinction should be applied to the word "navigate." Here's the confusion...when you click on the TITLE (the name to the right folder icon) of the directory, then you are actually selecting that folder to protect it. However, you can navigate to a subfolder by clicking on the FOLDER icon. It will open up the contents of the folder if there is anything under it. For anyone else needing the explicit directions for this procedure, go to Password Protecting a directory.



And finally, in regards to .htaccess edit...



When you see a "#" sign, it actually means that the line is merely a comment and is NOT processed as an .htaccess rule. Therefore, those markings of beginning and ending are usually only there to simply organize the statements to place in the .htacess file. However, it is important to understand that the rules/settings that you place in the .htaccess file are executed in the order that they are read (top to bottom). Therefore, yes, the should go in the WordPress section of the .htaccess file. It's mainly being placed there for organization sake and to let anyone know that it applies to your WordPress installation. Placement of the rules depends on the other statements in your .htaccess file. If you intend for these rules to be executed before others, then the whole section should be at the top.

I hope this helps to explain this issue for you! Please let us know if you have any further questions or comments.

Regards,
Arnel C.
2013-10-07 1:14 pm
I've tried adding a secondary password and restricting access to my IP. In both cases, I get a Google Chrome error "This website has a redirect loop." In IE, the page never loads. I've been blocked for nearly 2 weeks now. I appreciate the security measures but I'm quite frustrated that the so-called fix doesn't work properly. Advice?
7,075 Points
2013-10-07 2:05 pm
Hello GregBeaman,

I looked into this further and this loop was created because the server was trying to find the correct ErrorDocument to handle the password request. So I've placed the following bit of code in both your /public_html/.htaccess and /public_html/wp-admin/.htaccess files:
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"


After adding this, I am no longer getting the "redirect loop error."

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
2014-01-06 5:04 pm
I did the first two solutions and am still unable to access my site. When I navigate to my wp-admin page, I have the pop-up login but entering my username and password only sends me to a "Denied" message. Please help!
2,247 Points
2014-01-06 7:50 pm
JacobN
Staff
Hello GregBeaman,

Sorry to hear that you're having issues again. I saw that you also commented on this post back in October having some issues with a re-direct loop after adding the .htaccess password protection.

The password pop-up that you're getting when trying to access your WordPress admin section is from that same .htaccess password protection. It's not going to be the same credentials as your WordPress login, but rather what username and password you created in cPanel for the password protected /wp-admin directory.

If you've forgotten the password, you can simply update it using these steps:


  1. Login to cPanel

  2. Under the Security section, click on Password Protect Directories

  3. Click the Document Root for: option, then click Go

  4. Click on the wp-admin directory which should have a padlock beside it

  5. Under the Create User section, fill in the same Username that you have below in the Authorized Users section


    Fill out and confirm your password you want to use, then click Add/modify authorized user




Now when you get the password pop-up, enter in the new password you just set in cPanel. Then you should be presented with your normal WordPress admin login page, which you'll want to use your normal WordPress credentials to login to.

If you're still having any problems please let us know!

- Jacob
2014-01-06 8:13 pm
Hi Jacob,
I just followed the steps you posted and I am still directed to a "Denied" message. Any further advice to get past this?
Thank you
2,247 Points
2014-01-06 11:51 pm
JacobN
Staff
Hello again GregBeaman,

If you're getting the "Denied" message, that means that the username and password you entered into the web-browser pop-up didn't match the password protection that's in your .htaccess file.

It's possible I suppose that your .htaccess file got cached in your web-browser, and it's not seeing the updated password that you created following the steps above in my last response.

Try to clear you web-brower's cache. Then in a new window try to bypass the .htaccess password protection again, but also note that your username is going to be what's in cPanel as well, and not related to WordPress itself.

If you're still getting a "Denied" message after clearing your cache, please let us know!

- Jacob
2014-01-07 12:34 am
JacobN,
I still get the "Denied" message. What is the deal? I would rather deal with 1000 fake gucci ads every day. Just please give me my website back,
Thank you.
1,112 Points
2014-01-07 9:08 am
JeffMa
Staff
Hello GregBeaman,

If you are absolutely sure that your .htaccess file is not still within your browser by clearing your cache as well as trying another browser, as well as ensured that the username and password that you have entered are correct, you may want to remove the password protection and re-add it again to re-create the file. Renaming your .htaccess file and then adding the password protection would also be a good step as well.
2013-11-21 2:39 pm
I've applied the first solution to no avail. The first time I tried to login, a popup window appeared and I entered my newly username and password which I created for my protected "pswrd" folder but then I got the same block page.

I run a multi-author blog and I want everybody to be able to login safely. Please help!
2,247 Points
2013-11-21 3:49 pm
JacobN
Staff
Hello Xenoash,

Sorry to hear that you're still having issues. It sounds like possibly you have a WordPress plugin that is continuing to hit your wp-login.php script and triggering the ModSecurity rules on the server.

After implementing the secondary .htaccess password, try to wait 15 minutes and then attempt to login again. If you're still having issues, than more than likely it is a plugin causing the problem.

Because you have a multi author blog, you might have better success using the required referrer method for restricting access to your WordPress admin.

If you're still running into issues, please let us know!

- Jacob



2013-11-27 1:35 pm
I have been attacked again after implementing the first option!
Is there a more secure solution that can protect my website for brute-force attacks permanently?

Is this happening to WHH's servers more frequently than other hosting companies?

Is my website on a shared server or it has its own private server?

Thanks for the help provided so far.
2,247 Points
2013-11-27 1:58 pm
JacobN
Staff
Hello again Xenoash,

When you implement any of these .htaccess rules to lock down your WordPress administrator dashboard, that won't stop the brute force attacks from taking place, but it should secure your login credentials from being compromised and your site being modified without your permission.

The trend in WordPress brute force attacks is not limited to WebHostingHub and affects any website at any web host that the attackers have in their list as a target. So once they begin to attack your domain, it wouldn't matter what web host you're using, as they are still attacking directly by your domain name, and not from the web host's server level.

You are on a shared server, but again this problem isn't coming from internal at the server level. You simply have outside sources trying to directly access your wp-login.php script, and for the time being because you've implemented some .htaccess blocking, they are all getting denied requests, so they aren't actually getting the chance to attempt to login to your WordPress dashboard.

It looks like since yesterday, you've had 59 unique IP addresses attempt to POST a request to your wp-login.php script. But they got denied by your secondary .htaccess password rules.

Please let us know if you had any further questions at all.

- Jacob
2014-01-05 11:34 am
I'm 'still' not able to login and access my wp admin dashboard. I tried the IP solution -and- the first recommended solution. Neither have granted me access, so I returned the htaccess files back to the way I initially had them. I have a question about the IP solution ... when I click on the link to get the IP info - is this the IP for my domain? My personal IP is different - so should I try using that, instead? I understand how the two are different ... I'm just willing to try an alternate route, if it's possible.
8,823 Points
2014-01-06 10:50 am
ScottM
Staff
Hello lcwhitlock,

The IP address shown when clicking the link is correct as that is your public facing IP for your network. The local IP address for your computer will not be seen by the server so it will have no effect if you place that in the list.

Also, keep in mind, if the site is currently under the block time, that time will still need to expire before any changes you make will work.

Kindest Regards,
Scott M
2014-01-06 11:14 am
Hello ScottM~! Well, after numerous attempts (since yesterday), to secure login, I'm still unsuccessful. I just now submitted a support ticket. I don't know what else to do, and pardon me for saying so, I'm quite frustrated. heh
2,247 Points
2014-01-06 3:34 pm
JacobN
Staff
Hello lcwhitlock,

Sorry to hear that you're having continued issues getting into your WordPress admin. I took a look and it appears it's probably coming from the placement of your rules in the .htaccess file. As I was taking a look at your account, it looks like you might have as well, as the admin block went back into place.

I'm waiting for the admin block to expire right now so that I can test the .htaccess edits, and once I have a solution working for you I'll go ahead and respond to the support ticket I see that you have open as well regarding the issue.

- Jacob
2,247 Points
2014-01-06 4:26 pm
JacobN
Staff
Hello again lcwhitlock,

Sorry it took awhile to figure out what the cause of your problems was. It looks like the php.ini file you were trying to include within your .htaccess file was causing the issues. So I've gone ahead and copied over the server's default one.

Unfortunately I was unable to determine exactly what setting in your php.ini file was causing the issues, as it didn't appear to be logging any errors. But I went ahead and left a copy of yours in the /public_html/ directory called php.ini-USER. Your current php.ini file is one that I copied from the server's default location of /usr/local/lib/php.ini.

If you get past the .htaccess password prompt successfully, but then after entering in your WordPress credentials you simply remain at the login page now, that should mean the credentials just aren't accepted.

You should be able to simply reset your WordPress admin password, I'd recommend using the 3rd method using phpMyAdmin in cPanel to adjust the user_pass column for your admin user to a MD5 format and then just entering in the password you'd like to use for WordPress.

If you're still having any issues at all, please let us know!

- Jacob
2014-01-06 2:29 pm
I have attempted the first solution about and not having any luck accessing my site. I believe that I have followed the directions, but not having any luck with entry to my site. This is beyond frustrating as I have time sensitive information that I need added to my site.
2014-01-06 2:32 pm
It also appears that my entire site is inaccessable.
2,247 Points
2014-01-06 3:55 pm
JacobN
Staff
Hello dromens,

Sorry for the problems you were having. I see that your website is fully accessible at this time, are you still also having issues logging into the WordPress admin?

If you first got redirected to this article because of our internal ModSecurity rules, the instructions for the .htaccess modifications can help limit the amount of people that are even allowed to attempt to login to WordPress at all.

Currently I can pull up your WordPress admin login, so that means the ModSecurity temporary block is over at this time. However if there are some unsuccessful login attempts again, and you don't have one of the .htaccess methods setup for restricting access to just yourself this could possibly happen again.

If you followed the first option for adding secondary password protection in your .htaccess file, you should have gotten a password pop-up in your web-browser when trying to access the WordPress admin again. Did that happen for you? If you did get the password pop-up, after you filled that in, were you still told the ModSecurity block was active and directed to this article? If that's the case, you'd want to wait a full 15 minutes to ensure all signs of the block have worn off, before attempting to login again.

Please let us know if you're still having issues at all.

- Jacob
2014-01-16 4:53 pm
Hi, We're having the same problem as GregBeaman above. We keep getting a denied message. We've tried option 1 as well as clearing cache, trying another browser and still getting denied. We absolutely cannot get into our website. Please help. Thank you.
Kath and Christie
2,247 Points
2014-01-16 6:31 pm
JacobN
Staff
Hello suminoizumick,

Sorry to hear that you're having issues with your WordPress site. You mentioned you setup the .htaccess password protection from option 1 above, so when you say you're being denied, are you seeing the website pop-up box requesting your secondary password?

Or are you simply getting redirected to this article right away and seeing our error page?

Once the .htaccess password protection is setup, if you clear your web-browser's cache after waiting 15 minutes for the previous block to expire, you should only be presented with the .htaccess password prompt in a pop-up window. If you instead are seeing the WordPress admin login form, or seeing our error page again, then that means the .htaccess rules are not setup properly.

Unfortunately I was unable to find an account associated with the email address used here to take a look myself. If you'd like you can email support at support@webhostinghub.com and let them know the domain you're having issues with so that we can take a look for you. Or if you feel comfortable you can respond here publicly with that information as well and we'd be glad to take a closer look for you.

- Jacob
2014-01-16 11:33 pm
I added a seconday password but I am still getting blocked from my website by the security measures. What is happening? I can't afford to be locked out of my website.
7,075 Points
2014-01-17 5:16 pm
Hello rholzer,

Thank you for your question. If you are getting locked out, most likely someone is attempting to gain access to your Wordpress powered site. If you have followed this guide and are still not able to get in to your Wordpress site, I recommend contacting live support, or replying with your domain name so we can look at your specific setup..

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
n/a Points
2014-03-02 6:06 am

While it is a complete pain being locked out of your wordpress admin, I would far rather this than find (as I did once) some dirtbag has gained access and destroyed my files. The last time WHH blocked access to my www.easyflatpax.com site was well over a year ago, and today, it has happened again. Hardly a real problem! Having just changed ISP, I was yesterday forced to remove the code requiring my safe ip addresses as it would appear my ISP has done something which does not allow me access via this way (what, I don't know). I therefore set up a secondary password via cPanel, which works! I recommend this method as it is simple to do and, provided your username and password both contain a mix of upper/lower case, digits, letters and punctuation, they will not get in that way. Thanks to WHH for having the extra layer of security on top of all this!

2,247 Points
2014-03-03 5:51 pm
JacobN
Staff
Hello Andrew, and thanks for the kind words!

Glad to hear that setting up the secondary .htaccess password protection worked for you. Your new ISP might be rotating your IP address causing conflicts with the restricting access to your IP method. But the secondary password should work in all cases.

I also went ahead and just updated this article and the password protection section to add in another rule that allows any plugins that needs access to the /wp-admin/admin-ajax.php script. If you're noticing any strange behavior after password protecting the /wp-admin directory be sure to try that out.

Thanks again!

- Jacob
n/a Points
2014-03-09 11:47 am

Hi JacobN, Thought I would share this. I found that you were right, and that secondary .htaccess password protection no longer works for me because my isp is rotating my ip. I therefore went the route of password protecting wp-admin through cPanel but have encountered another problem in that visitors to website get the paswword box, not just visitors to wp-admin. Try as I might, I could not get around this , so have abandonned this method. I discovered a third alternative! This is a plugin which requires a second password (authorisation code) on the login page. I can't  tell you the name of the plugin as my site has been attacked again and you have put a block on it again. I have to ask the question, is it WebHostingHub that is being targeted? I do have other sites on other servers and don't have these problems.

1,112 Points
2014-03-10 11:05 am
JeffMa
Staff
WordPress sites all over the world are being targeted. Most providers, however, do not have this additional layer of security so you would not see anything about it on their servers until your site becomes hacked.
n/a Points
2014-03-12 12:26 am

Hi, 

this does not work at all for a multisite Wordpress. I can only logon the the main web site.

Could you please indicate the cjhnges  to be done for a multi site Wordpress ?

Thanks

Jose

 

2,247 Points
2014-03-12 11:34 am
JacobN
Staff
Hello Jose, sorry for the troubles.

Which of the .htaccess rules above are you trying to use? I setup a new WordPress Multisite (now referred to as Network) using the secondary .htaccess password method, and I was able to login to each of the 4 sites I setup under the main install.

If you did it this way, each admin user of a separate Multisite would be prompted for a secondary .htaccess password. You could just have them all use the same credentials at this stage, then once they are past that they can just login to WordPress as normal. Or if you'd like you can create multiple users and passwords for your password protected directory as well.

This should still allow access to your WordPress Network, while also denying access to malicious bots trying to brute force any of your sites.

If you're still having any issues at all, please let us know how you have things setup, and we'd be glad to try to come up with a solution.

- Jacob
n/a Points
2014-03-13 6:41 am

Thanks Jacob,

It's all working now. It was caused by a cache somewhere betweeen the server and my machine.

 I am not fully understanding the fact on mod_security? Does it have to be on or off ?

Thanks

Jose

 

1,112 Points
2014-03-13 8:13 am
JeffMa
Staff
Hello Jose,

It is always a good idea to keep mod_security turned on as it is quite effective in blocking malicious attacks to your site.
n/a Points
2014-03-14 6:28 pm

This changed now, all  my sites are asking for a password including from the root, hey what's going on ?

  Thanks

Jose

 

n/a Points
2014-03-13 3:18 pm

My site has been down all day because of this.. support have been fairly useless ("have a look on wordpress.org for a solution") and now i''m just getting a 406 error, before going back to the warning page mentioned above.

 

2,247 Points
2014-03-13 7:38 pm
JacobN
Staff
Hello Mat D,

Sorry to hear that you've been having issues getting to your WordPress dashboard. I see that it looks like you've implemented the required referrer method above.

It looks like your login attempts are coming in with a valid referrer, so the POST attempts are not being stopped by the .htaccess rules you've implemented.

I've gone ahead and temporarily setup the secondary .htaccess password method for you. This should stop all unwanted login requests from coming in, allow the 15 minute block of the admin panel to expire, and then you should be able to get back in.

You should see that the username / password is displayed in the pop-up box in your web-browser, so if you have multiple users needing to get into WordPress, they should all be able to use those same credentials mentioned in the pop-up to bypass the secondary password, then they can just login to WordPress as normal.

If you are not seeing a password pop-up when you try to visit your WordPress dashboard, please make sure to clear your cache, as it's possible that the server's old .htaccess rules would still be cached there locally.

If you're still having any issues at all, please let us know!

- Jacob
n/a Points
2014-03-13 7:42 pm

i can login fine with the password box, but still get the 406 error, so the site is not usable

1,112 Points
2014-03-14 8:32 am
JeffMa
Staff
How long have you had the protection in place? It can take up to 15-20 minutes to allow access again.
n/a Points
2014-03-14 8:35 am

It's been there for about 12 hours... Like i said, i'm not getting the brute force protection screen, just the 406 error

1,112 Points
2014-03-14 8:54 am
JeffMa
Staff
If you have the protection fully in place and are still locked out of your WordPress dashboard after a significant amount of time, you may want to submit a ticket to technical support in which they will be able to provide you with any account-specific information.
n/a Points
2014-03-14 9:53 pm

While I appreciate the security concerns, it seems to defeat the purpose of having a site when I am "temporarily" locked out of it 99.99% of the time.I host a Wordpress-based directory, and have had to close submissions, which also defeats the purpose, because no one is ever allowed to register for an account or access it if they had one. More often than not, i can't even add sites myself because I'm locked out.I can't host Wordpress-based client sites on Webhosting Hub because no client is going to accept being locked out of his own site more often than not. I have a client who wants a site that will include a blog, and I am going to have to set him up on another host because this just isn't acceptable.There has to be a workable workaround. I tried the .htaccess thing, and that got me in once, but the next time I tried to get in, I was locked out again, and I can't imagine trying any of the other options without blowing everything up.

1,112 Points
2014-03-17 8:14 am
JeffMa
Staff
Hello Ken,

I do understand that this can be frustrating. Your WordPress admin dashboard becoming locked down is due to an active brute force attack on your WordPress site at that time. Without the additional protection that we have in place, your site could either become compromised quite quickly, or the severity of the attacks could cause your server load to spike up causing your entire site to become unavailable. There are several solutions available to protect your site in this manner such as a secondary password, blocking based on referrer, or blocking based on IP ash shown within this article. It can be a bit inconvenient, but it is your best solution to avoiding your site becoming hacked.
n/a Points
2014-03-19 12:03 am

It would be SO USEFUL if the instructions above said that you have to wait 15 minutes. I've been beating my head against a wall trying to figure out what I did wrong in following the directions, but then read in the comments that I'm supposed to wait 15 minutes after making the changes to my .htaccess files. Arrgh!

2,247 Points
2014-03-20 1:51 pm
JacobN
Staff
Hello Todd,

Sorry for the confusion, and thank you so much for pointing that out. I've updated the article to reflect that you do need to wait 15 minutes after implementing .htaccess rules to limit login access to yourself, before you attempt to login to your dashboard again.

I see this was talked about like you said multiple times in the comments, but I had assumed I had that in the article already, so I was just reiterating it to users.

Hopefully that clears up any confusion for other users, and thanks again so much for letting us know!

- Jacob

n/a Points
2014-03-20 9:03 am

On my site I have over 100 students who log in to comment on posts. I've enacted secondary password protection. It seems to have helped, but users are still getting locked out quite frequently.

Is there a way to know via the control panel if the problem is truly because of spammers or if, perhaps, too many users are entering their login info incorrectly?Thank you!

1,112 Points
2014-03-20 9:06 am
JeffMa
Staff
If you have locked down your WordPress admin with a secondary password and still see this occasionally, it is due to one of the legitimate users that have the secondary password entering in their WordPress user password incorrectly.
2,247 Points
2014-03-20 2:10 pm
JacobN
Staff
Hello Ian,

Sorry for the troubles, when handling a lot of login attempts to WordPress our security rules might trip if the frequency of these requests having failed logins is too high.

You can login to cPanel, then under the Logs section click on Latest Visitors to view your recent login attempts.

In the search box, you would type in wp-login.php, and then I would recommend clicking on the settings cog towards the top-right, and placing a check-mark only beside IP, URL, Time, Status, Method.

If you see a lot of 200 responses in a row for your wp-login.php, these are failed password attempts, and will eventually trigger a 503 response which is when our security rules kick in.

If you are only having valid login attempts, then you should see a 200 GET /wp-login.php response, followed right away by a 302 POST /wp-login.php response.

The 302 response is a redirect code, showing that a successful WordPress password was entered, so you could look for any IP addresses that are causing only 200 GET /wp-login.php requests, without a corresponding 302 redirect, and then you would know what IPs are possibly still triggering our security rules.

If you noticed the IP address 123.123.123.123 was causing this for instance, you could add this rule to the top of your .htaccess file to stop them from being able to get past your secondary password protection, and stop them from using a bad WordPress login that is triggering our security rules:
deny from 123.123.123.123


If you are still having issues with our security rules triggering on your valid login attempts please let us know!

- Jacob

n/a Points
2014-03-22 11:45 pm

Hi

Before I start playing around with code I want to know if the block will simply expire by itself after 15 minutes of if I abolutely have to make the changes above.

7,075 Points
2014-03-24 9:46 am
Hello Peter,

As long as the brute force attempts stop, the block will expire after 15 minutes.

So, if you are still not able to get in after 15 minutes, then you will have to make the above changes.

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
n/a Points
2014-03-24 2:13 pm

I am getting email notifications of updates to the comments section of this page, latest update is 3/24.

However, the last message on the page that I can view is from 3/3/2014. Why is that?

Am using Firefox 27.0 on a Linux box.

2,247 Points
2014-03-24 2:26 pm
JacobN
Staff
Hello Michael,

This could be getting caused by our server-side cache of this page. I've gone ahead and forcefully reset the cache, so you should be able to see the updated comments now.

If you didn't want to receive any further email notifications, simply click on the Email Notifications link below, and then click on No and Update.

Please let us know if you need anything else.

- Jacob
n/a Points
2014-03-31 8:23 pm

At this time, I have four web hosts. This is the only one that has me locked out of my own site 99% of the time.My objective was to run a Word-Press base web directory. Well, I couldn't do that on WebHosting Hub because no one was ever allowed to create an account or submit a site.I had to disable submissions, adding sites myself, in order to get the directory going, in the hope that, at some point, WebHosting Hub will find a way to protect our sites without locking out the good guys.You provide several options here, none of which I am capable of following. I don't know what to say. While I can certainly understand security measures, locking out the site administators from their own sites just doesn't make sense.The whole point of WordPress is interactivity, and that is not allowed on WebHosting Hub.

9,313 Points
2014-03-31 10:07 pm
arnelc
Staff
Apologies for the trouble, Mr. Anderson.

Web Hosting Hub hosts hundreds of WordPress sites, and the problems in applying the provided solutions is not a common problem with our users. If you are unable to apply these solutions, we can apply them to your account, but you need to provide more information about the method you want to use and user information based on the method you have selected to implement. You can get this done by submitting a technical support ticket with the appropriate information so that we can help you. If one of the solutions is applied appropriately, you would not be locked out. If you want to make these changes yourself, then you can reference the tutorial on editing your .htaccess file.

We do apologize again with the problems you've had with the site. We have many users who are able to use their WordPress sites with no problem. We can help you with your issue as well, but we just need more information in order to give you assistance.

Regards,
Arnel C.
n/a Points
2014-04-04 12:42 am

This is by far the most annoying thing I have ever experienced in my life with any webhost and it seems as if the company itself does not care that this is more of an incovienece to it's customer than it is anyone else. I understand the need to keep hackers/spammers out. However, I use my wordpress to run and opperate a store front. Which requires users to register so that they may make a purchases and I may keep track of who and how often purchases are being made. Customers and even MYSELF are being locked out from logging in. if they can't login, they can't buy and when they get that god awful lockout message it scares them off from even ever wanting to make a purchase. I am losing customers and this is my lively hood how I pay my bills and feed my child. I would think that this company would care that the reason I am paying for hosting is to actually use it not be locked out of it every other day. I have another blog where only I access the login area because it is a test blog. I have the password stored into my computer so that I do not have to retype it and still I am locked out of that one as well even though I am very well not typing in my password inccorect.

 

I have contacted the support team by chat on several different occasions  about this issue and I am still brought to this very same page and instructions that clearly I can't use because I cannot .htaccess a login page that not only I am going to access but countless unknown users who plan to purchase on my site will need to be able to access. How on earth would I use a secondary password that all my users whom I don't personally know would know? I recommended this hosting to a client who's site I designed she also faces this same issue with her blog and her site has not even went live yet. Only her and I have used the login. She is upset and doesnt want to continue with it because this issue is too "big" to just let slide and I very well agree.

 

Not only is it annoying the lock doesnt only last 15 minutes sometimes it's a whole 2hrs before I can get back into my site. When i am trying to make updates and edit I don't have 2hrs to waste twiddling my thumbs waiting to be able to access my own darn site. I want to get in get it done and get out. I am honestly fed up & I think if this is the only solution you guys have I may have to cancel my hosting all together and find another place.

7,075 Points
2014-04-04 10:34 am
Hello Odessa,

Thank you for your comment. We definitely understand your frustration, since the brute-force attacks cause trouble for us too.

Under most circumstances, adding your IP to the .htaccess fill is a viable option, but this seems to be a special case.

As an alternate solution, I recommend Submitting a verified ticket requesting that we Disable the mod_sec rules.

Then, use a 3rd party Wordpress plugin to protect your website.

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
2,247 Points
2014-04-04 2:42 pm
JacobN
Staff
Hello Odessa,

Sorry for the troubles and frustration. I went ahead and took a look at your account and did see in your access logs that you have been getting blocked out of your WordPress admin.

It seems that it is not your valid users attempting to login or register that is causing the problems but instead it looks like mostly malicious bot activity.

Luckily one thing of note is that any modern web enabled device a human would use is going to be using the HTTP/1.1 protocol which was made the standard towards the end of 1999. It looks like almost all of your malicious request attempts to login are coming from HTTP/1.0 clients, which would indicate more than likely an automated bot source.

I've gone ahead and implemented some .htaccess rules for your WordPress sites that should specifically block these type of bot attempts, while still allowing normal human attempts:

# Block HTTP/1.0 User-Agents from POSTing to wp-login.php
RewriteEngine On
RewriteCond %{SERVER_PROTOCOL} ^(HTTP/1.0)
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^/wp-login.php
RewriteRule .* - [R=403,L]


Hopefully that should help prevent these malicious users from locking out your good users. If you continue to have any issues at all, I've gone ahead and enabled raw log archiving for your account so that we can review things historically from the server-side to help prevent further false positive security blocks.

Or as JohnPaul had mentioned, if you'd like to submit a ticket and request for the ModSecurity rules to be disabled altogether for your account, please go ahead and do that.

- Jacob
n/a Points
2014-04-04 6:32 pm

Thank you both for the response it seems as if  the people in the support chat response is always just designed to point me here and I have explained several times to them this fix isn't really good for my personal situation.  I will submit a ticket to have it disabled are there any 3rd party apps you my recommend. Would something Like reCAPTCHA or anything else that would identify a human from a  bot at the login screen work well for keeping bots from making the lockout screen happen? Much like what you have here in the comment section..

 

Aside from this one issue I have had no problems with the hosting and I really appreciate you both taking the time to respond to me with helpful information. Thank you once again!

2,247 Points
2014-04-04 7:14 pm
JacobN
Staff
Hello again Odessa,

No problem for the responses, sorry if our front-line tech support hasn't been the biggest help with these issues for you. Unfortunately sometimes support is not aware of underlying implications causing our server security rules to trigger.

I sent you a separate email detailing that it seems like your WordPress Good Question plugin was not properly functioning, and that was making it seem like even your valid users trying to register had invalid login requests which triggered our security rules.

I would recommend the WordPress WP-reCAPTCHA plugin for blocking fake registration attempts. It uses the same Google reCAPTCHA service that we use here on our public comments section, but allows you to protect your WordPress comments, and registrations.

I see that you've gone ahead and put in a ticket to have the WordPress ModSecurity rules disabled on your account. I went ahead and did that for you and responded to that ticket separately as well.

Please let us know if you run into any other snags or have any further questions at all!

- Jacob

n/a Points
2014-04-13 9:06 pm

Hello,

I've followed the steps for the first option of getting a secondary password. It worked. But when I tried again after a couple of hours, I'm blocked again. I have my htaccess files correct. Please let me know what else I can do, this is really inconvenient.

Thanks 

1,112 Points
2014-04-14 10:16 am
JeffMa
Staff
Does your WordPress admin panel successfully prompt you for a secondary password when you attempt to log in? If not, the code may not be fully inserted correctly.

Post a Comment

Name:
Email Address:
Comment:
Are you a bot?
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

News / Announcements

Update to SSL Certificates - Certificate Warnings
1969-12-31 11:00 am EST
Hits: 624
What is the Heartbleed bug?
1969-12-31 11:00 am EST
Hits: 249

Related Questions

Here are a few questions related to this article that our customers have asked:
Would you like to ask a question about this page? If so, click the button below!

Help Center Search

Current Customers

Email: support@WebHostingHub.com Ticket: Submit a Support Ticket
Call: 877-595-4HUB (4482)
757-416-6627 (Intl.)
Chat: Click To Chat Now

Ask the Community

Get help with your questions from our community of like-minded hosting users and Web Hosting Hub Staff.

Not a Customer?

Get web hosting from a company that is here to help.