It was just only last month when huge highly-distributed WordPress Brute Force attacks come into existence targeting admin passwords worldwide. Also known for using forged or spoofed IP addresses, the attack leads people to try and force them into cracking your WordPress site by hammering the login page.

The attack if comes into existence again, and you too become one of victim and not allowed to enter into your own server to install plugins or tweak .htaccess, then last solution exist is to contact your webhost immediately. They would be your real saviors although also understand mere well that such attacks are not specific to WordPress and can be happened to any site.

Brute-Force-Attack

Measures You Can Take to Prevent Similar Attacks

There are two steps you have to follow in order to secure your wp-login.pho file for all WordPress sites in your cPanel account. The measures will certainly help deter such type of attacks. To start with, keep a note that you need to define a password in the .wpadmin file, followed by activating the security in the .htaccess file.

Step 1: Creating the Password File

You need to create a new file named .wpadmin and have it place in your home directory. It would be a place where your website visitors can’t access it. Have a look at an example below to get some idea:

Example: /home/username/.wpadmin (where “username” is the cPanel username for the account.)

Make sure, you put both the username and encrypted password inside the .wpadmin file, using the format username:encryptedpassword

Example: gidon:n5MfEoHOIQkKg  (where “gidon” is a username of your choice, and the password shown is encrypted.)

You can create a new password via going with either of options below:

A. Generate Password File & Uploading Through File Manager: To have the best username and password with you, it’s always advisable to use the best tools available, followed by uploading it to your site via FTP or File Manager. Check the process below on how you have to do it:

  1. Visit: http://www.htaccesstools.com/htpasswd-generator/
  2. Use the form to create the username and password.
  3. Login to cPanel in another window or tab.
  4. Click on File Manager.
  5. Select Home Directory.
  6. Check Show Hidden Files (dotfiles) if not already checked.
  7. Click on the Go button.
  8. Look for a .wpadmin file.
  9. Paste the code provided from the website in step 2.
  10. Click on the Save Changes button when complete.
  11. You can Close the file when finished.

B. Creating the Password File Through SSH / Command-line: To create the encrypted password using SSH / Command-line, you require the command-line program htpasswd. Say, for example, htpasswd -c /home/username/.wpadmin gidon

Once entered the above statement, then you would be asked to enter the password for the username “gidon” in order to access the wp-login page. Once done, then you can log into the wp-admin interface as you normally.

Step 2: Updating the .htaccess File

All the domains come under the home directory share the common same .wpadmin file. To have your username and password works for you, the last and important step is to place the following code in the /home/username/ .htaccess file and you are done.

WordPress-htaccess-file