Preventing Brute Force on WordPress

One of my client websites that use shared hosting cPanel is being flooded login attempts from IP addresses Ukraine and Russia. The effect is still not broken, but access to the site so very slow and appears Connection Timed Out or Internal Server Error. Fortunately, it hosts it on my own so not turned off or kicked out.

Preventing Brute Force on WordPress

Arguably what I teach is first aid of overcoming brute force passwords on WordPress. The protected course is wp-admin and wp-login. I will utilize .htaccess to be processed by the Web server for faster than using PHP solutions.

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^
RewriteRule ^(.*)$ – [R=403,L]

I remind you first, this is the manual way to block access (Response 403 Forbidden) to the specified page (WP-LOGIN and WP-admin) if not from the IP address allowed. Continue how we log in? With the very forces, we will edit the contents of the .htaccess file every time you want to enter the administration. This is because if the ISP system in that country uses a dynamic public IP that will change each session unless you have a static IP. So it was very troublesome once.

But for alternative solutions can be used:

  • WordFence or iThemes Security. WordPress security plugins are both but just select one.
  • In cPanel we can give a password to access certain content.
  • Or use CloudFlare and set up the Firewall.