In recent months, we have seen an increase in attempts by third parties to log into customers WordPress sites via the wp-login.php and xmlrpc.php pages. They are using Brute Force attempts to do this by sending significant numbers of requests to the page with different passwords hoping to get the right combination and gain access.
Unfortunately, as the server processes each of these requests, we are seeing significant increases in resource usage as the server processes each request via PHP.
In order to reduce the usage levels, we would recommend placing an additional layer of protection into place on these files, meaning that the webserver processes the request first and as they cannot get past the first stage of protection, the server does not load the PHP pages at all. Obviously, if you have the correct username and password, you will still be able to access your wp-login.php page.
Below is a step by step approach of how to do this yourself:
Firstly, within your public_html directory create (or edit if there is already one) a text file named .htaccess (this may be a hidden file so please check you have hidden files displayed)
Paste the following into your .htaccess file:
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
AuthName "Authorized Only"
Please change the cPanelUSER to your cPanel username
Save this document.
Then please go to the root folder (/home) and create a file called .htpasswd
You will need to generate a username and password that will be used for your protection, you can do this here: https://www.penguin-uk.com/htpasswd.php
Paste the result into your .htpasswd file and save the file. This will now enable you to use your login details for the password protection before getting to your wp-login.php page.
You can do the same for xmlrpc.php by changing wp-login.php for xmlrpc.php in the .htaccess file.
If you need further assistance, please do contact our Support Team who will be able to assist you further.