Securing WordPress website from brute force attacks

Part One – Protect your wp-login.php file and wp-admin area, following this simple set of instructions:


Three basic steps:

1. Create a hidden password file.
2. Generate a login and password and add it to the hidden password file.
3. Modify your site’s .htaccess file to require your hidden password when logging into WordPress.

 

Step 1 – Create a hidden password file

Using cPanel File Manager or FTP, login to your hosting account and, in the root of your site, create a file called .htpasswd.  (make sure that you put a period at the beginning of the filename, so that it’s hidden by default).

 

Step 2 – Generate a login and password and add it to the hidden password file

  1. Go to https://www.htaccesstools.com/htpasswd-generator/
  2. Enter a username and password that you’ll use to protect the WordPress login.
  3. Click Create .htpasswd file to encrypt your password.
  4. .htaccesstools.com will return a string of text that looks something like this: wandreata:$prt2$vqg/gY..$Yold9aipE63lrcSpr1CDf0
  5. Open the .htpasswd file that you created in Step 1 above and paste in the .htpasswd entry you just created.

Step 3 – Modify your site’s .htaccess file to require your hidden password when logging into WordPress

Using cPanel File Manager or FTP, login to your hosting account and open the .htaccess file in your public_html folder:  Add the following to the top of the file:

# Protect wp-login
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized User Only"
AuthType Basic
AuthUserFile /home/yourserverdirectoryname/.htpasswd
require valid-user
</FilesMatch>

(Change yourserverdirectoryname to match your server’s root directory name – you should see it in cPanel in the top left section when you’re in your root directory. Alternatively, check with your web host)

There’s some useful help with cPanel on this website: https://www.hostinger.com/tutorials/htaccess/how-to-locate-htaccess-file-on-cpanel-file-manager

 

Check attack logs (optional)

Add WordPress plugin “WPS Limit Login”
In the configuration, set up “Email to admin after 1 lockout”
Whitelist your own IP address (get it from whatismyipaddress.org)
Add blacklist IP addresses from any previous attacks
The log on this plugin is a quick way to check for attacks. Apart from displaying IP addresses used, it also displays whether an attack was using the WordPress Login page or a xmlrpc post script in attempting to hack into the website.

 

Part 2 – Disable your xmlrpc.php file

Using cPanel File Manager or FTP, login to your hosting account and open the .htaccess file in your public_html folder: Add the following

# BEGIN Disable XML-RPC.PHP
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
# END Disable XML-RPC.PHP

(see https://www.youtube.com/watch/?v=WiIaz-Ik3tE for more info and background)

 

Managing cookies in Chrome

Chrome, by default, allows cookies to be set by all websites. We advise installing the “Vanilla Cookie Manager” extension so that you can control which websites can save their cookies on your system. You only really need to allow cookies from sites that you want to interact with, such as sites that you need to log in to for shopping, banking, webmail, facebook, etc.

Installing Vanilla Cookie Manager
  •  Open Chrome
  • Tools > Extensions
  • Click “Get more extensions”
  • In the search box, type Vanilla Cookie Manager
  • In the resulting page, click the “Add to Chrome” button and click Add in the confirmation box.
  • Close the extension tab

 

How to use Vanilla Cookie Manager

Once this extension is installed, an icon will be added in the right hand side of the address bar, next to the favourites star icon.

VanillaCookieManager - unlisted site
website not in whitelist

Clicking the icon provides a dialog for quickly adding the current site to the  whitelist. It also gives an option to delete unwanted cookies (any that are not related to your whitelist).

 

VanillaCookieManager
website is whitelisted

After adding a site to your whitelist, the diagonal line through the icon disappears, indicating that you have allowed cookies for that website.

 

Right-clicking the icon provides further options for managing your whitelist.

Managing cookies in Firefox

Firefox, by default, allows cookies to be set by all websites. We advise installing the “Cookie Whitelist” extension so that you can control which websites can save their cookies on your system. You only really need to allow cookies from sites that you want to interact with, such as sites that you need to log in to for shopping, banking, webmail, facebook, etc.

Installing Cookie Whitelist
  •  Open Firefox
  • Tools > Add-ons
  • In the Search box on the top, right of page – type cookie whitelist
  • Find “Cookie Whitelist, With Buttons (if you don’t see it click See all results at the bottom) and click the “Add to Firefox” button next to it
  • You will be presented with a
    box – click the Install button when it’s ready
  • Restart Firefox

 

How to use the Cookie Whitelist buttons

Once this extension is installed, two buttons are added to the top of your browser to allow easy control over cookies.

CookieWhitelistButton

 

 

The Add (+) button adds a dialog for quickly adding the current site to the  whitelist. Green indicates that the site is not yet listed in the whitelist; grey indicates it has already been added and can set cookies.

The Record (red) button allows Firefox to temporarily accept cookies from any site not on the whitelist. These cookies will be deleted when Firefox is closed. This makes it much easier to deal with the occasional sites that refuse to work without cookies.

Right-clicking on either of the buttons enables you to manage your whitelist and any currently stored cookies.  It also allows you to choose whether or not to allow third party cookies (best to generally say no to these, although you may need them for a small number of sites; trial and error prevails here, I’m afraid!)