Go to WordPress wp-login.php brute force attack  for the latest information on the Wordpress attacks and how best to stop the problem (04/12/13).

Why is there a trend of attacks on Wordpress?

Wordpress is one of the one most widely used website solutions on the internet today.  As a result, it is also very often the target of malicious activity.  Recently, there has been a trend in increased brute force attacks aiming to get access to Wordpress as administrator-level users.  This is in part due to the nature of Wordpress and how it is evolved into the website solution it is today. Wordpress was originally designed to be simple blogging software. However, it is often used for many other purposes such as ecommerce, bulletin boards, personal journals, etc.  This makes these websites more valuable as targets.  Hackers often want to either disrupt this traffic or to somehow obtain information from these websites. 


What is a Brute Force Attack?

One of the methods to gain information -primarily log-in information - is by using a method called BRUTE FORCE attack.  Basically, as the name suggests, they are not hiding the attack, and there's no efficiency to the attack. You could say it's like taking the "shotgun approach."  It simply is hitting the server looking for one thing, the correct login information for your Wordpress site.  Hackers will often infect other computer systems and then set them to attempt logging into the Wordpress Administrator.  The illustration below shows graphically how the attack traffic can come from many locations and be mixed with normal website traffic.  The attack can also come from just one location, but the method of trying to crack the login is the same - it is simply going through a sequential search for your login.  Brute force attacks can also increase resource usage of the website.  Therefore, brute force attacks are not only trying to crack through your security, but they are also driving up resource usage when multiple attempts on the Wordpress login is occurring.




Preventing Wordpress Brute Force Attacks

Since users are no longer using Wordpress as simply a blogging solution, there isn't as much emphasis on user management for the owners of the Wordpress site.  And this may also be a contributing factor to the problem.  Wordpress Site Administrators should regularly cycle their passwords and review their user lists to make sure that no one has been added that isn't supposed to be on the list. Especially users added as Administrator-level users.  There are also Wordpress sites that do not require that people register to post comments or other actions on the website. To prevent unauthorized access we recommend the following:

  • Block access to the WP-LOGIN.PHP  using the HTACCESS file by requiring an additional password
  • Block access to the WP-LOGIN.PHP using the HTACCESS file by allowing only specific IP address or range of IP addresses
  • Find a plugin that prevents access to the login screen after a particular number of tries.  The plugin should then use an interval of inaccessibility before the next attempt to login would be allowed.


The first two methods using .htaccess are recommended as they will help to prevent excessive resource usage.  There is no guarantee of this with the plug-in, unless the plugin can limit access no matter how many times login attempts are being made.  The following information are examples of the code solutions for the .htaccess file as listed above



.HTACCESS method to deny user login using additional password for wp-login access:


Note:The code below would be in the .htaccess file located in the .htaccess file located where you have installed Wordpress


<FilesMatch "\.wp-login.php$">

AuthName "WordPress"

AuthType Basic

AuthUserFile /home/username/.htpasswd

Require valid-user






.HTACCESS method to deny user login using specific IP address or range of IP addresses:

Note:The below code needs to be in the .htaccess file located in the WP-ADMIN folder. If you don't see one, then create a blank text file and name it .htaccess saving it in the wp-admin folder

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName "Admin Access Only"

AuthType Basic


order deny,allow

deny from all

# whitelist Admin 1 IP address

allow from xx.xx.xx.xxx

# whitelist Admin 2 IP address

allow from xx.xx.xx.xxx



Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Did you find this article helpful?


2013-04-09 3:47 am
I'm a newbie, and while the instructions above are somewhat helpful, step by step instructions would have been more helpful to me.

I can't determine from the information given here how to actually safeguard my logins by adding code to the htaccess folder (whatever that is).
2,132 Points
2013-04-09 3:53 pm
Thank you for your feedback!

You gave good suggestions. We will edit this article to contain steps for clarification. You should see it updated soon.

Best regards,
James R
2013-11-23 7:02 am
how to whitelist dynamic IP address? mine is dynamic IP
2,342 Points
2013-11-25 5:48 pm
There is not a way to whitelist like this as your IP would be changing. You may, however, whitelist the current IP that you are using and adjust accordingly if it changes.
n/a Points
2015-03-05 6:58 am

Agree with comments posted 2 years ago - i need more specific instructions on where to place this code.  thanks,

12,339 Points
2015-03-05 10:40 pm
Hello greg,

Thank you for your comment. It should not matter where you put the rules in your .htaccess file.

But, since apache reads from top down, it would not hurt to put it on the top of the file.

If you have any further questions, feel free to post them below.

Thank you,

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Need More Help?

Help Center Search

Current Customers

Email: support@WebHostingHub.com Ticket: Submit a Support Ticket
Call: 877-595-4HUB (4482)
757-416-6627 (Intl.)
Chat: Click To Chat Now

Ask the Community

Get help with your questions from our community of like-minded hosting users and Web Hosting Hub Staff.

Not a Customer?

Get web hosting from a company that is here to help.