If you aren’t securing your wp-login.php page, you could be in for a rude awakening.

See that image up there? That’s a log from iThemes Security for this very website you’re viewing to read this article, chock full of brute force attempts – 1148 of them to be exact. They started 6 days ago, roughly 48 hours after my WordPress website went live – and it’s not uncommon for this kind of activity to happen, so are you protected?


What is a brute force attack?

So what exactly is a brute force attack and why should you care? Let’s use an analogy.

Say you have a door that you want to go through, but it is locked. To enter the room you have to give the right combination of secret phrases (e.g. username and password). You are determined to enter so you use the most common combination you can think of – admin | admin. Didn’t work, so you try admin | password, no dice. You continue throwing out combinations in hopes that one will finally work for you.

This, is a brute force attack. Continuously trying different combinations of usernames and passwords until one works – and I bet you can already (hopefully) see the problem with this. A regular person isn’t going to be doing this, however, it’s going to be a computer reading through a list of usernames & passwords (aka wordlists) and repeatedly sending a login attempt to your WordPress website wp-login page.


Why does this matter?

There are roughly 455 million (~30% of the total websites that exist) WordPress websites around the internet so they make a great target for these types of attacks. In fact, more than 70% of WordPress installations are vulnerable to attacks. The most common problem is lazy admin’s who don’t change the default username for their WordPress login – this takes out a lot of the guesswork when planning an attack on a WordPress website. Let me ask you this:

  1. Is your password found in a dictionary?
  2. Do you use the same password on multiple websites?
  3. Is your password just password?

If you answered yes to any of those, change your password right now – please.


So how do you secure your WordPress login?

For this example I am using AWS Lightsail’s Bitnami WordPress instance. You will need to modify how you get to your WordPress instance slightly if you are on a different host, however, the actual contents will remain the same.

So now that you understand what can happen to your precious WordPress website, let’s talk about securing them. I’m using Amazon Web Services(AWS) Lightsail for my website but there are many great WordPress hosts out there.

  1. Login to your AWS Lightsail console by visiting: https://lightsail.aws.amazon.com/
  2. Once you’re there you will see your WordPress instance, click the terminal icon to open an SSH session (or use your preferred SSH client)


3. Once your SSH session opens, enter the following at the command line and press enter:

cd /opt/bitnami/apps/wordpress/conf/

4. Your SSH session should now show you within this directory

[email protected]{your WP instance IP}:/opt/bitnami/apps/wordpress/conf$

5. Enter the following and press enter to edit the htaccess.conf file with VIM. If you are unfamiliar with how to use VIM, I would highly suggest the 8 minute tutorial by Maricris Bonzo (aka Vim Girl) on FreeCodeCamp’s YouTube Page.

vim htaccess.conf

6. Below is a screenshot of what you should see (yours may vary slightly):

7. Press the INSERT key on your keyboard this will allow you to add to the file in VIM. Go to the bottom of this file below the last </Directory> and right-click > paste the following snippet, replacing the x’s with your IP.

<Directory /opt/bitnami/apps/wordpress/htdocs/>
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from x.x.x.x

8. Once you have that entered, press ESCAPE and then :wq and press enter. This will write your changes to the htaccess.conf file and close vim.

9. At this point, go back to your AWS Lightsail console and reboot your WordPress instance. Your wp-login page is no longer accessible outside of the provided IP address. If you need to add more addresses, simply enter a new Allow from x.x.x.x line.

10. If in the event that you lock yourself out of the wp-login page through a typo in the IP address, simply reconnect to your AWS Instance via SSH, edit the htaccess.conf file, and reboot the instance once more.

🎉 And that’s it! 🎉

You have successfully locked down the wp-login page on your WordPress instance to prevent anyone outside of the allowed IP address / range and one step closer to a hardended WordPress website. But your efforts should not stop here, I would highly recommend you get a complete site security check through iThemes Security Plugin. (Not affiliated or endorsed, just a sincere opinion on a great resource).

Pin It on Pinterest