WordPress Brute Force Attack

If you have a website or blog that is running on WordPress, this will affect you. 

There is a very widespread Brute Force Attack targeting all WordPress installations across the globe. This affects all WordPress installations with any and every hosting providers, not just us. 


Here are a few tips which we recommend you to follow to prevent your WordPress website from falling victim to this attack:- 

Set A Very Strong Password

Change your WordPress’s admin password to a very strong password which is not easily guessed. 

Here are the recommendations from WordPress:- http://codex.wordpress.org/Hardening_WordPress#Passwords 

Rename Your Admin Username

WordPress ususually sets the default administrative username as “admin”. 

We suggest you to rename this to something that is not easily guessed. 

There are two ways to achieve this:- http://codex.wordpress.org/Hardening_WordPress#Security_through_obscurity 

Password Protect Your “wp-admin” Directory & “wp-login.php” File

The best way to protect against Brute Force Attack is to prevent them from even reaching your login page in the first place. 

This can be achieved by using the “Directory Privacy” (formerly known as “Password Protect Directory”) feature in your cPanel. 

Securing the “wp-admin” directory only is not enough as the attacker can still gain access to your WordPress login page with the “wp-login.php” file in the root directory of your WordPress installation. 

To easily secure the “wp-login.php” file, simply follow the steps below:-

  1. Use the cPanel File Manager or your FTP Client.
  2. Navigate to the “wp-admin” directory.
  3. Open the “.htaccess” file and copy the contents (from “AuthType Basic” till “require valid-user”).
  4. Navigate to the root directory of the WordPress installation (your main directory for WordPress).
  5. Type in “<FilesMatch “wp-login.php”>” below “# END WordPress”.
  6. Paste the copied contents at a new line.
  7. Type in “</FilesMatch>” below the pasted content.
  8. Save the file.