Part One – Protect your wp-login.php file and wp-admin area, following this simple set of instructions:
Three basic steps:
1. Create a hidden password file.
2. Generate a login and password and add it to the hidden password file.
3. Modify your site’s .htaccess file to require your hidden password when logging into WordPress.
Step 1 – Create a hidden password file
Using cPanel File Manager or FTP, login to your hosting account and, in the root of your site, create a file called .htpasswd. (make sure that you put a period at the beginning of the filename, so that it’s hidden by default).
Step 2 – Generate a login and password and add it to the hidden password file
- Go to https://www.htaccesstools.com/htpasswd-generator/
- Enter a username and password that you’ll use to protect the WordPress login.
- Click Create .htpasswd file to encrypt your password.
- .htaccesstools.com will return a string of text that looks something like this: wandreata:$prt2$vqg/gY..$Yold9aipE63lrcSpr1CDf0
- Open the .htpasswd file that you created in Step 1 above and paste in the .htpasswd entry you just created.
Step 3 – Modify your site’s .htaccess file to require your hidden password when logging into WordPress
Using cPanel File Manager or FTP, login to your hosting account and open the .htaccess file in your public_html folder: Add the following to the top of the file:
# Protect wp-login
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
AuthName "Authorized User Only"
(Change yourserverdirectoryname to match your server’s root directory name – you should see it in cPanel in the top left section when you’re in your root directory. Alternatively, check with your web host)
There’s some useful help with cPanel on this website: https://www.hostinger.com/tutorials/htaccess/how-to-locate-htaccess-file-on-cpanel-file-manager
Check attack logs (optional)
Add WordPress plugin “WPS Limit Login”
In the configuration, set up “Email to admin after 1 lockout”
Whitelist your own IP address (get it from whatismyipaddress.org)
Add blacklist IP addresses from any previous attacks
The log on this plugin is a quick way to check for attacks. Apart from displaying IP addresses used, it also displays whether an attack was using the WordPress Login page or a xmlrpc post script in attempting to hack into the website.
Part 2 – Disable your xmlrpc.php file
Using cPanel File Manager or FTP, login to your hosting account and open the .htaccess file in your public_html folder: Add the following
# BEGIN Disable XML-RPC.PHP
Deny from all
# END Disable XML-RPC.PHP
(see https://www.youtube.com/watch/?v=WiIaz-Ik3tE for more info and background)