[Originally posted on the old Ethical Internet website]
Please complete all five of the steps below to protect your WordPress website from brute force attacks.
- For security and for the following steps to be successful, it’s essential that you ensure your WordPress is completely up to date – this includes the WordPress core files, plugins and any themes. Backup your files and database then use the normal WordPress Updates dashboard page to apply all available updates.
- Now that you’re running the latest version of WordPress, install the following plugin: https://wordpress.org/plugins/wps-hide-login/. You can do this quickly and easily from within your WordPress dashboard – click “Plugins” > “Add New”. Once there, just type “WPS Hide Login” in the search box:
Click over “Install Now”, confirm the warning message and let it process.
- Once WordPress completes the installation of the plugin, click over “Activate Plugin”
- You will be redirected to the plugins page. Click ‘Settings’ on the left, and then scroll to the bottom of the main WordPress settings page. Look for the option “Login url”. There you will see your blog’s web address and a field you need fill in order to setup your new login url. In this case, I chose “bloglogin” – we recommend choosing something unique that you will remember.
Make sure you take note of the new address. To activate it, click on “Save Changes”. Simple!
- There’s one extra step to take, because now every visit to the old /wp-login.php file will cause WordPress to generate a 404 page not found page. Add the following code to the top of your .htaccess file in the directory that contains your WordPress installation. This can be done via FTP, or you can do so via the File Manager in cPanel – just be sure to check the ‘Show Hidden Files’ option so you can see the .htaccess file.
Deny from All
ErrorDocument 403 "Forbidden"
The above code will block all requests to the wp-login.php file, as no legitimate requests should be made to that file now that the WordPress address has been changed. This will protect your account by both preventing login attacks against your WordPress installation(s), and reducing the volume of PHP executions being processed.
If you’re not familiar with editing the .htaccess file, here is how to do this via File Manager in cPanel:
a. Log into your cPanel account.
b. Click on the File Manager icon.
c. On the screen should pop up a small window, select the ‘Web Root’ directory, and make sure the ‘Show Hidden Files’ option is checked and click the ‘Go’ button.
e. Click the .htaccess file. To highlight it, and select the ‘Edit’ button. Then click the ‘edit’ button again on the window that pops up.