WordPress Bruteforce Protection

In recent months, we have seen an increase in attempts by third parties to log into customers WordPress sites via the wp-login.php and xmlrpc.php pages.  They are using Brute Force attempts to do this by sending significant numbers of requests to the page with different passwords hoping to get the right combination and gain access.

Unfortunately, as the server processes each of these requests, we are seeing significant increases in resource usage as the server processes each request via PHP.

In order to reduce the usage levels, we would recommend placing an additional layer of protection into place on these files, meaning that the webserver processes the request first and as they cannot get past the first stage of protection, the server does not load the PHP pages at all.  Obviously, if you have the correct username and password, you will still be able to access your wp-login.php page.

Below is a step by step approach of how to do this yourself:

Firstly, within your public_html directory create (or edit if there is already one) a text file named .htaccess (this may be a hidden file so please check you have hidden files displayed)

Paste the following into your .htaccess file:

ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/cPanelUSER/.htpasswd
require valid-user


 Please change the cPanelUSER to your cPanel username

 Save this document.

Then please go to the root folder (/home) and create a file called .htpasswd

 You will need to generate a username and password that will be used for your protection, you can do this here: https://www.penguin-uk.com/htpasswd.php

 Paste the result into your .htpasswd file and save the file.  This will now enable you to use your login details for the password protection before getting to your wp-login.php page.

You can do the same for xmlrpc.php by changing wp-login.php for xmlrpc.php in the .htaccess file.

If you need further assistance, please do contact our Support Team who will be able to assist you further.



  • 3 Users Found This Useful
Was this answer helpful?

Related Articles

What is a website exploit?

The majority of websites now run code on them which makes them interactive. The most commonly...

My website has been exploited - what can I do?

Our servers run a number of automated security systems, one of which performs the equivalent...

My mailbox has been exploited - what can I do?

We regularly monitor all activity across our servers and if we detect any abnormal activity on a...

My website shows 'Not Secure'

Why does my website show ‘Not Secure’? Within the last year browsers have been making changes in...