Securing WordPress website from brute force attacks

Part One – Protect your wp-login.php file and wp-admin area, following this simple set of instructions:


Three basic steps:

1. Create a hidden password file.
2. Generate a login and password and add it to the hidden password file.
3. Modify your site’s .htaccess file to require your hidden password when logging into WordPress.

 

Step 1 – Create a hidden password file

Using cPanel File Manager or FTP, login to your hosting account and, in the root of your site, create a file called .htpasswd.  (make sure that you put a period at the beginning of the filename, so that it’s hidden by default).

 

Step 2 – Generate a login and password and add it to the hidden password file

  1. Go to https://www.htaccesstools.com/htpasswd-generator/
  2. Enter a username and password that you’ll use to protect the WordPress login.
  3. Click Create .htpasswd file to encrypt your password.
  4. .htaccesstools.com will return a string of text that looks something like this: wandreata:$prt2$vqg/gY..$Yold9aipE63lrcSpr1CDf0
  5. Open the .htpasswd file that you created in Step 1 above and paste in the .htpasswd entry you just created.

Step 3 – Modify your site’s .htaccess file to require your hidden password when logging into WordPress

Using cPanel File Manager or FTP, login to your hosting account and open the .htaccess file in your public_html folder:  Add the following to the top of the file:

# Protect wp-login
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized User Only"
AuthType Basic
AuthUserFile /home/yourserverdirectoryname/.htpasswd
require valid-user
</FilesMatch>

(Change yourserverdirectoryname to match your server’s root directory name – you should see it in cPanel in the top left section when you’re in your root directory. Alternatively, check with your web host)

There’s some useful help with cPanel on this website: https://www.hostinger.com/tutorials/htaccess/how-to-locate-htaccess-file-on-cpanel-file-manager

 

Check attack logs (optional)

Add WordPress plugin “WPS Limit Login”
In the configuration, set up “Email to admin after 1 lockout”
Whitelist your own IP address (get it from whatismyipaddress.org)
Add blacklist IP addresses from any previous attacks
The log on this plugin is a quick way to check for attacks. Apart from displaying IP addresses used, it also displays whether an attack was using the WordPress Login page or a xmlrpc post script in attempting to hack into the website.

 

Part 2 – Disable your xmlrpc.php file

Using cPanel File Manager or FTP, login to your hosting account and open the .htaccess file in your public_html folder: Add the following

# BEGIN Disable XML-RPC.PHP
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
# END Disable XML-RPC.PHP

(see https://www.youtube.com/watch/?v=WiIaz-Ik3tE for more info and background)

 

Useful WordPress plugins

Widget Context

Show or hide widgets depending on the page/section of the site that is being viewed.  WidgetContext

FooGallery

Foo Gallery is the most intuitive and extensible gallery management tool ever created for WordPress.  FooGallery

Duplicator

The Duplicator gives WordPress administrators the ability to migrate, copy or clone a site from one location to another. The plugin also serves as a simple backup utility. If you need to move WordPress or backup WordPress this plugin can help simplify the process.  Duplicator

Child Theme Configurator

Creating a Child Theme is a must for anyone who wants to make any alterations to their theme’s stylesheet (style.css), functions, header, footer and other php pages, without running the risk that the next update may wipe out all of your modifications.  The Child Theme Configurator provides a fast, easy and automated way to safely create a child theme. There is great video guide here too to quickly take you through the process.

Shortcodes Ultimate

Using Shortcodes Ultimate you can easily create columns, tabs, buttons, boxes, sliders and carousels, responsive videos and much, much more.  A great way to add more design functionality to your chosen theme.