The wp-login.php file

The wp-login.php file is the file used by WordPress to allow you to login to the WordPress Admin area of your site. WordPress powers over 33% of the sites on the internet and there are almost 25 million WordPress sites based on data from BuiltWith. This means it's a popular target for hackers.

If your site's resource usage is spiking, load times are slowing down or you're getting "508 Resource Limit is Reached" errors, then there's a good chance that your site might be under a brute force password attack. In one of these attacks, a hacker (or group of hackers) are attempting to login to your WordPress admin area by testing a whole lot of passwords until they find the right one. Think of it like the digital equivalent of using a lock picking machine.

There are a number of ways to help protect your site against brute force password attempts including plugins to rename the wp-login file and block the IPs of people who are trying to login with incorrect details, but in this guide, we'll focus on one method - editing your site's .htaccess file

1. Log into cPanel.

2. Open the File Manager.

cpanel-file_manager.png

3. Click on the Settings icon in the top right corner

file_manager-settings.png

4. Tick the box to "Show Hidden Files (dotfiles)" and then click Save

enable-dotfiles.png

5. Click on the .htaccess file once, and then click Edit in the toolbar

choose-htaccess.png

6. Click the Edit button on the window that appears

edit-htaccess.png

7. Add the lines below at the bottom of the file, replacing "username" with your cPanel account's username:

htaccess-wplogin.png

IMPORTANT: You must replace "username" with your cPanel account's username for this to work.

<FilesMatch wp-login.php>
AuthType Basic
AuthName "Secure Area"
AuthUserFile /home/username/public_html/.htpasswd
require valid-user
</FilesMatch>

8. Click the "Save Changes" button in the top right hand corner.

cpanel-save_changes.png
9. Click the "+ File" button on the toolbar to create a new file.

cpanel-create_file.png

10. Call the new file ".htpasswd" (without quotes) - note the dot at the start - and then click Create New File.

create-htpasswd.png

11. Click on the new .htpasswd file once, and then click Edit on the toolbar.

edit-htpasswd.png

12. Use the htpasswd generator site to create a new username and password, and copy/paste that into your .htpasswd File.

Example entry, which is for the username and password "protectwp":
protectwp:$apr1$QDbeOmHR$veKjSCrkn.EMAHNt75SQv/

13. Click the "Save Changes" button in the top right hand corner.

cpanel-save_changes.png

Congratulations. You've now protected your site's wp-login.php file from attacks. You'll need to use that new username and password as the first step of access before getting access to the wp-login.php file.

Comments

  Add Comment

Confirm Submission

Please enter the text from the image in the box provided; this helps us to prevent spam.



Powered by WHMCS