WP Brute-force Protection.

Fajiweb Solutions Webhosting

In today web technology were WordPress have now also been used for full website instead of only blogging site that it was first primarily made for, there is need to be at alert all the time. If you’re running a WordPress site, now would be a good time to ensure you are using a very strong passwords and to make sure your username is not “admin.”

In the year 2013, a series of brute force attacks were channeled towards WordPress sites across the globe. This raised an alarm to web hosting companies around the world. Today, more brute force attacks are carried out again by hackers using over 90,000 compromised servers (botnets).

  • First, Let me explain what is Brute-force?

    Brute-force is a form of automated continuous trial by hackers to gain access to a secured section of your site. They use multiple combinations to guess your password. This can often press load which will slow down your website or in some cases even get your site hacked.

    WordPress brute-force attacks are challenged towards the  /wp-login.php (login page). If successful they will hijack your website.

    If you are using any of our shared hosting plan, virtual servers or dedicated server; you can implement the following security measure to protect your site from brute-force logins.

    Go to your cPanel account and navigate to File Manager, select the show hidden files/folder in the popup, then go to the directory where your WordPress site is installed (if it is on the main site, that will be /public_html or /public_html/wp if you are using a sub-folder)

    • Step 1: Create a “.htpasswd” file in the main WordPress folder (note the full-stop before htpasswd)
    • Step 2: Create a password of choice and encrypt it in an MD5 format together with a username, in the format below:
      username: encrypte the username
      password: choose a password that is hard to guess or you may use this service here http://www.htaccesstools.com/htpasswd-generator/ to generate the username and encrypted password in the required format. Make sure you remember of store the password in a safe place.
    • Step 3: Right click on the .htpasswd file in the main WordPress folder and click Code Edit (to open the file in a web based code-editor). Then paste the generated key in Step 2 above (eg, username:BY$8IpfCRILmgj7sjHipsKMm0) and click the save button at the top right corner of the editor.
    • Step 4: Go back to the main WordPress folder, and edit .htaccess file by right clicking on it and hit Code Editor again just like you did above for .htpasswd. If there is no .htaccess file in there already, you can create it like you did for .htpasswd in Step 1 above.
    • Step 5: Carefully add the following code in the .htaccess file with caution; DO NOT alter any other existing code in the file to avoid any errors on your site. Advisably, add it at the bottom of the file.

    ErrorDocument 401 “Unauthorized Access”
    ErrorDocument 403 “Forbidden”
    <FilesMatch “wp-login.php”>
    AuthName “Authorized Only”
    AuthType Basic
    AuthUserFile /home/{username}/.htpasswd
    require valid-user
    </FilesMatch>

    NOTE:  You need to also change {username} in the above code with your cPanel username. eg. “/home/fajiweb/.htpasswd”

    Hit the save changes button and you’re done. This will protect your site from unauthorized access to the wp-login.php file. You may comment below if you have any challenge or wish to give us additional suggestio

    You can read more about this story at techcrunch website

    Ready to get a web hosting that have full WordPress support and protection, click here