Protecting WordPress Login Page from Attacks

Protecting WordPress against Login Attacks

WordPress as we know is one of the most popular content management systems around. That’s why WordPress is generally a target for attacks. Recently we came across a very robust DDoS targeted to the login page of WordPress sites hosted on our network and also on other well known web hosting providers. 

We take security and continuity of service very seriously and we’re very pro-active at everything we do. We’ve added a few new security rules in our already existing set of rules to protect against this type of new attack that we’ve seen. Since implementing this new rule, we’ve seen an increase in protection against these types of attacks.

While we’ve done what we can to ensure maximum security for your websites, there are a few more things that you can do to help yourself from these types of attacks:

#1. Make sure WordPress is Up to Date!

This is a no brainer. Update your WordPress installation. You’ll be surprised at how many installations are out of date. You’re automatically vulnerable when you aren’t using the latest code. Here’s a video on how to update your WordPress installation:

#2. Block Access to the WP-Login.php page

You can do this in one of two ways. The first is to install the Limit Login Attempts plugin. This will restrict access for the WP-Login file. The second is to edit your existing .htaccess file and add the following lines:

<FilesMatch wp-login.php>
Order Allow,Deny
Allow from xxx.xxx.xxx.xxx
Deny from all
</FilesMatch>

You will replace the xxx.xxx.xxx.xxx with your WAN IP address. This can be found by typing in What’s my IP Address into Google. See the image below for an example:

What's My IP Address

 

Note: Some ISP’s have dynamic IP addresses, so you may not be able to log into the WP-Admin if your IP address changes. You will still be able to edit the .htaccess through your cPanel’s file manager, FTP or SSH if it does. If you’re using an ISP that changes it’s IP often, then this may not be the right choice for you.

#3. Enable CloudFlare

CloudFlare announced that it has pushed out a rule set that is now filtering Brute Force Attacks on the WP-Login.php / WP-Admin page. CloudFlare is free and can be easily installed on your GreenGeeks hosting account. To enable CloudFlare on your GreenGeeks account take a look at 4 reasons why you should be using CloudFlare

Our VPS customers who use WordPress can be affected as well. Please contact our team and we’ll let you know how you can prevent this from occurring on your sites.

GreenGeeks offers some of the best WordPress hosting services in the industry with optimized servers specifically for WordPress. We’re also always evolving to make sure that our customers always experience the best web hosting period.