WordPress wp-login.php Brute Force Attack

There have now been several large scale WordPress wp-login.php brute force attacks, coming from a large amount of compromised IP addresses spread across the world since April 2013.

We first started this page when a large botnet of around 90,000 compromised servers had been attempting to break into WordPress websites by continually trying to guess the username and password to get into the WordPress admin dashboard.

You can quickly review WordPress login attempts to see if your site has recently been under attack.

Global WordPress brute force attack

Please remember these issues are not isolated to InMotion Hosting or our WordPress Hosting. For example, here is one that was affecting multiple providers.

 

General WordPress brute force protection

Please note – before adding and removing plugins or making changes in general, you should backup your WordPress with a reputable plugin.

While we do HIGHLY recommend implementing as many secure solutions as possible for WordPress, the following guides would be a great first step in protecting yourself and your WordPress site from further attacks.

InMotion Hosting’s defense plan

Our senior system administration team has rolled out a fleet wide security policy to help contain these attacks.

We are proactively protecting our customers to help stop the spread of further attacks. These malicious bots are trying to break into one WordPress site, and then using it as part of the botnet to begin attacking other sites.

InMotion Hosting customers locked out of WordPress, please follow this specific guide:
WordPress login temporarily disabled (fix)

Helping the community

I took place in an almost 2 hour Google+ hangout with the WordPress Bay Area Foothills Meetup Group consisting of some InMotion customers as well as other WordPress users.

In this hangout I covered this WordPress brute force attack, and walked them through this article as well as answered other WordPress security related questions.

10 recommended steps to lock down and secure WordPress

1. Use a strong password

Minimum password recommendations:

  • At least 8 characters total
  • Mixture of upper and lower-case letters
  • Numbers, punctuation or other non-alphanumeric characters

Example weak password: secret1
Improved strong password: Z#hupsZ2M4!Z

Take a look at how to create a secure WordPress admin password for easy steps.

2. Change default WordPress admin username

When installing WordPress, by default the administrator user has the username of admin.

The botnet attack is currently only targeting this default username, so even having an administrator username of admin123 could significantly reduce the likelihood of your site being successfully logged into by a malicious user.

Check out how to change the WordPress default admin username for security.

3. Lock down WordPress admin access with .htaccess

Utilizing a WordPress brute force plugin for this type of attack is not very efficient, and in some cases can actually lead to your site becoming unavailable due to the large amount of processing power used to attempt to challenge each and every malicious login attempt.

Setup a secondary level password to prevent unauthorized WordPress wp-admin and wp-login.php attempts.

Or you can rely on the information we have on limiting WordPress admin access with .htaccess.

4. Temporarily disable CPU intensive login limit plugins

Blocking this attack with .htaccess rules is the preferred method, as login limiting plugins can not only lead to issue with triggering our own internal security rules, but they also will not be effective in this type of large scale attack.

5. Scan website for hacks, check Google Safe Browsing

If your WordPress site had been successfully compromised, a clear indication will usually be found either by a surface security scan of the website, or it will also get reported to Google’s Safe Browsing.

Check Google’s safe browsing for your domain, at https://transparencyreport.google.com/safe-browsing/search

6. Setup CloudFlare DNS level protection

Due to the large scale of this botnet attack, CloudFlare has offered DNS level filtering for this attack on all of their free accounts.

While probably not an ideal solution if you have many WordPress sites due to having to update the name servers for each domain, and then waiting typically 24-36 hours for DNS propagation. Single site owners might benefit greatly from this type of protection which should block the botnet requests from even making it to the server in the first place.

7. Backup WordPress

At this point it’s probably a good idea to backup WordPress just in case. That way, as the attacks continue, you’re ensured that you always have a good point to restore back to in the event something goes bad.

Backing up your data

Restoring your data

8. Update everything WordPress

To protect yourself from any known exploits to WordPress you should update everything related to WordPress:

Necessary updates to make:

9. Clean up hacks

If your website has been the victim of a hack, you can follow my guide on how to reinstall WordPress after a hack for steps on cleaning it up and getting back in business.

10. Other general WordPress recommendations

Hopefully your WordPress website should be locked down and secure now, which should help prevent our own internal security rules from blocking your own access to your WordPress admin.

When the dust settles and you know how to prevent brute force attacks from getting access, please take some time to review our repository of WordPress Tutorials.

InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting

245 thoughts on “WordPress wp-login.php Brute Force Attack

  1. Hey, I install a new WordPress in Cpanel and when I try to go wp-admin I got this error. I create it new . just in 1 min how to fix that ??

    1. Hello,

      Thank you for your question. Unfortunately, I am not able to see what the error message says. I recommend contacting our Technical Support team for direct assistance with this issue.

      Best Regards,
      Alyssa K.

  2. Hello, My name is William. I was trying to login to a members area with wordpress, but for some reason it says that I have been blocked from going into the members area. Also it said that I needed to wait until the block expires. How long will that take? Can some one assist me with this issue?

    1. If you have somehow loaded to the reCaptcha plugin, then you will need to disable it manually in order to login. You will need access your website files, and remove the recaptcha folder from your plugins folder. You should be able to login after that.

  3. i tried to log in to my wordpress dashboard but isn’t  successful. wordpress kept signalling that there is error that i should allow cookies. i tried the instruction and put the cookies button on on my browser,yet same issue persisted. what can i do?

    1. I would recommend disabling any extensions you are using in your browser or switch to a different browser. If that does not work you may be having an issue with a plugin or theme on your site which means you will need to manually disable the plugins or theme to be able to log in.

  4. I don’t use WordPress but I do log all access requests to my site. On an average day my site gets over 100 wp-login.php attempts from all over the world. Fully 90% of hacking attempts on my site are WordPress exploit attempts. Since most (probably all) are bot-net attacks I check the IP address and if they are a US company I send a note to ISP abuse contact informing them that they have a compromised machine on their service.

    I was thinking of having some fun and mimicing the wp-login process and seeing what these fools will do to try to do.

    1. Hello. I’m not quite sure what the issue you are experiencing is. I don’t see any errors at the link you provided. Are you still having problems?

  5. Hello InMotion,
    Please we just tried logging out of our WordPress site but noticed a “WordPress Login Temporarily Disabled” page coming up. Please when will this block expire. And do you suggest we later install a plugin that can change the default “wp-admin” login page link to a custom link of our choice? Please reply, thank you.

  6. All of my .net websites get dozens of “wp-login.php” requests a day, so this is not limited to WordPress sites. The majority of hack attacks on my sites are WordPress exploit attempts. I usually redirect them to the Department of Homeland Security’s CyberCrime page with a tag of “I’m_a_stupid_hacker_Log_my_IP_address”

  7. This is the easist of all hacks to prevent.   You do not need to go to extraordinary lengths.   

    1. limiting log in attempts to 3 trials is a typical number.  Where did it come from? Everyone uses that number.  You all buy into this magical number.  How many times have you had a brain freeze where you forget.  Or your browser has a brain freeze.   Limit to 6.  Any bot is eventually going to give up.    No bot is going to hit you for hours.   They are looking for easy doors.

    2. All-in-one-security plugin allows you to change the login directory.  That alone is nearly fool proof.    Really simple name can be used.    You never use login.php

    3.  The craze over passwords is insane!  8-20 letters. One capital   _ or ! but not – or $.  There are very simple alogrithms for passwords that can be memorized but are “unbreakable.”  Try this very simple example.  It’s just an example.  I could give you a dozen.    “The…..FBI…..is…..watching”    Try it.  Uncrackable.  or 1…..2…..3…..4…..5…..   Luckily finger prints and iris scanners will eventually takeover.   I use LastPass otherwise it would be hopeless. I have hundreds of password.   I can’t even remember how to log into Facebook.

    4. People live in the real world.  Use simple real world solutions.  Simplfy!

    5.  Even the captcha below is crazy and outdated.  Most of the time I can’t read it.  It can be very very simple.   “what is two + 3”    Simple.  

         

    1. The blocks last for 15 minutes, and so long as there are not more failed login attempts, you should be able to log back in after the block expires.

      Thank you,
      John-Paul

  8. Thanks for the reply. To be clear I am writing to talk about protecting WordPress users on a large scale, not about how to protect a singe instance. That is why the method we use is httpd.conf based and not .htaccess based.

    I was hoping to hear your opinion on the two issues I’ve specifically talked about since I think these would affect your users if they made use of some of the techniques you’ve suggested, like IP based .htaccess protections.

    Using per-instance WP plugins is highly inefficient and as documented in some of your own posts can actually cause server-wide resource issues on shared systems and/or render a tiny VPS or CloudLinux instance effectively dead in its tracks.

    That is why we went with the httpd.conf method to protect all sites at once. But because of the two issues I mentioned (WP page protection and non display of AuthName) it looks like this solution may have to be modified or abandoned altogether.

    Also, your suggestion to protect wp-admin/ has its own set of issues. We’ve run into multiple cases where plugins that run on the WP front end pull resources from within wp-admin/. This could be looked upon as bad programming practice, but nonetheless it does occur and of course, as soon as that happens whatever protection that is in place for wp-admin/ gets invoked and an unsuspecting end user is either blocked based on their IP or challenged with a popup. And now with Chrome not displaying the AuthName (which is typically used to explain why a login prompt is being displayed) the end user will be confused and likely leave the web site.

    Also, we do make use of fail2ban with/csf just for good measure so that unusual, repeated access attempts to wp-login.php get blocked based on IP address.

    I think these are important aspects of protecting WordPress installations. Maybe some of your colleagues would care to weigh in? I’d love to hear some other thoughts, maybe something outside the box?

     

    1. Hello C M,

      Unfortunately we couldn’t implement a httpd method due to the nature of our shared/reseller servers. While plugins do pull from the wp-admin directory, you can protect direct access to the folder. This way your website can still pull from the folder but if a browser directly went specifically to wp-admin it would ask for an additional password or be IP restricted. I would suggest also reaching out to the wordpress.org community to see if they have come up with multiple WordPress login protection solutions.

      Best Regards,
      TJ Edens

  9. Thank you for having this public area.

    Locking down wp-login.php can done in a variety of ways. I prefer forcing the user to do a simple human check by password protecting wp-login.php using LocationMatch directly from the httpd.conf file, server wide. This is extremely efficient and universal for all web sites on the web server.

    While this method does work well there are two problems that I’ve not seen mentioned. I was hoping I could pick your brain on some ideas.

    The first issue is if a customer is making use of the built in WordPress per-page password protection (as a means for protecting private content, not for stopping hacking attempts). When an end user enters the page password, WordPress actually invokes wp-login.php! That means any protection in place that was intended only for the admin user now gets invoked by an end user simply trying to log into a WordPress password protected page. In my case this means an .htaccess style popup is displayed asking them to prove they are human (as if they were trying to log into the WP backend). But for those who use an IP based .htaccess style protection for wp-login.php this would immediately stop the end user from being able to continue and they would never be able to access any password protected WP pages.

    The other issue is that on newer versions of Chrome (and maybe other browsers) the AuthName is not displayed. So there is no way to explain to the end user what they are supposed to do if they do encounter the httpd.conf based human check login box.

    These two issues may render the best, most efficient protection against wp-login.php hacking available completely useless, forcing people to go back to PHP based WP plugins, which IMO are not viable on a large scale.

    I would really enjoy hearing InMotion’s thoughts on these two issues.

    Thank you!

    1. Hello C M,

      What I would suggest to resolve issues on both parts is a plugin such as limit login attempts. This plugin blocks the users IP after 3 failed attempts (can be changed) for 24 hours (again can be changed). So if someone sent out a botnet to attack your website each IP is only getting a few chances. Also you can not put in the wp-login.php and just leave the wp-admin/ while locking it down.

      Best Regards,
      TJ Edens

    1. The lock comes off in about 15 minutes, but if you need to access your site right away you can disable mod_security in cPanel. However, this leaves your site more vulnerable to brute force attacks. So I recommend turning off for as short a time as possible, making the most use of time to secure the login page with the methods listed above.

  10. Hi,

    I’ve just had the temporarily locked out thing.  Sorry this is my first website and I can’t remember all the terminology all the time.  Not attempted to get back in yet as I want to make sure I do it right and am reading up on it.  I see in the article for using the plug in that it’s not suitable anymore.  I don’t think option 2 will work for me as I travel around a lot through multiple countries and need to be able to log in from wherever I am.  I have a strong password, but will replace it anyway once I’m back in.
    What would you recommend that I do?

    Many thanks

    Fiona

    1. Hi Fiona,

      Do as many of the options as possible, you do not need to do all of them, but the more you do, the better.

      Kindest Regards,
      Scott M

  11. Hallo!

    How to protect A wordpress site when the brute-force attack is on the “Front-end Membership” login box?

    🙂

    1. Hello Marco,

      Thank you for contacting us. I recommend using a security plugin such as WP-reCAPTCHA to protect from spam registration attempts.

      Thank you,
      John-Paul

    1. Hi Philip, there’s nowhere to really “report” them. I’d suggest trying to block their IP address. How exactly are they attacking you?

  12. Having been under a brute force attack for several days, I just wanted to chime in with what I did to resolve my problem – without modifying the .htaccess file or using a 3rd party “hide the login page” plugin.

    Using the free Wordfence plugin that I’ve had installed for quite a while, under Live Traffic Views> Live Logins & Logouts, I noticed that the majority (if not all) of the attacks were originating from Russia, and the attacks rarely came from the same IP address.  So trying to block specific IP addresses was not a logical option.

    With premium Wordfence service, Wordfence has the ability to block countries with one click.  But since I don’t have the $40 to spend right now, I found a great free country blocking plugin called IP Geo Block.  It’s available at https://wordpress.org/plugins/ip-geo-block/

    This plugin allows you to manually create a black list of all countries you want to block, and it also allows you to create a white list of countries you of course want to allow through.

    But after I activated the IP geo Block plugin, my attacks dropped from 20-30 attempts an hour to perhaps just a few a day.  And over the past few days, I’ve not had any problems logging into my WordPress site at any time of the day or night.

    As a footnote, I saw what appeared to be the attacking robots trying to skirt around the RU block by going through some infected sites that originated from the Ukraine so BAM!  I added the country code UA to my black list and ended that real quick too!

    The plugin is easy to use (for this novice WordPress user), and it also has quick-links for access to all global country codes definitions.

    All has been peaceful since I added this plugin and since I don’t sell anything online globally, I have no problem blocking the entire Russian Federation or Ukraine either.

    Frank

    1. Hello Marc,

      If you’re getting blocked by the brute force protection on the server, then you can regain access within 15 minutes. If it continues and you still have problems, please contact our live technical support team for immediate assistance via phone/chat/email. They can help you get immediate access.

      If you have any further questions, please let us know.

      Kindest regards,
      Arnel C.

    2. Hello Oviya,

      If you require information please let us know what you are searching for. You can contact our live technical support team for immediate assistance if necessary. We unfortunately cannot contact you via phone.

      If you have any further questions, please let us know.

      Kindest regards,
      Arnel C.

  13. Well, recently Brute force Attacks has immensely increases, becoming a dangerous factor for for all WordPress users, but it is thing, which is fight-able, I mean, by using security methods, we can move brute force attacks out of the window. Although, it can be difficult for a  newbies who just got started with WordPress, but he can learn by reading posts online and then can implement security.
    In my view, implementing only three tricks works very well, Changing Login Slug, A content Delivery network (CDN) and a Security Plugin, which bans IP address after a few Login attempts. I ma using this on my blog and it is working fine.

    1. Hello Julie,

      Thank you for contacting us. We are happy to help you troubleshoot, but will need some additional information. What is the full error you are getting when you log out?

      Have you tried Turning on WordPress debugging? This may provide a more detailed error.

      Thank you,
      John-Paul

  14. Why not simply rename the wp-admin.php to another name?

    your login url would be something like mysite.com/anothername The brute force bot would be looking for wp-admin.php and receive a “Page Not Found” error.

    This works for me.

    1. Hi Jacob,
      Thanks for the information.
      I know this is an old post, but here is what I did as a layer of protection from the brute force.
      I added the following line at the beginning of the wp-login.php
      if ($_GET[‘something’] != “value”) { exit(); }

      then edited the line:

      Reply
  15. THis is inasane. I just signed up for inmotion and installed WordPress. and now I am unable to login. Can yoiu please remove the block?

  16. I posted a question last night but have not seen it appear as of yet? I have been hosted with you for several years with a main and addon domains with WP.

    Have had the ‘prevent unauth access’ in place for referer attempts for most of that time and it has worked. Lately however it is not working. Seeing failed remove attempts to login.

    Yesterday I sought to implement the limit login by restricting the IP addresses to mine and 10 others ip addresses – with the referer code in place and without it . Testing it afterwards and I was still able to log in from an alternate IP address… ? (if this is not the correct place to post or more details needed please let me know. thank you.

    1. Using the referrer method can sometimes still fail if any attacks access your login page before sending a POST request to it.

      As for the IP filtering rules, those should be blocking anything that isn’t listed there. Could you provide me with the exact code that is within your .htaccess file?

    2. In addition, could you provide me with your site URL so that I can also test access to the WordPress admin with my IP?

    3. Thanks Jeff Ma – made sure cell was not on the wifi – earlier post reply *wordpress/lock-down-wordpress-admin-login-with-htaccess-* same core thread but different thread route… : ) aggregating the 2 into one here – thanks for that info though

      the code at the top of the htaccess is as follows – before wp super cache which is then follow by basic wpress code for the site: island real estate with a dot com url.

      Options -Indexes


      RewriteEngine on
      RewriteCond %{REQUEST_METHOD} POST
      RewriteCond %{HTTP_REFERER} !^https://(.*)?my domain name is here\.com [NC]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
      RewriteRule ^(.*)$ – [F]


      RewriteEngine on
      RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
      RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
      RewriteCond %{REMOTE_ADDR} !^xx\.xxx\.xxx\.xx$
      RewriteRule ^(.*)$ – [R=403,L]

    4. Your .htaccess file looks just fine. Could you provide me with your domain so that I can test the login as well? With the code you have there now, it should be blocking any IP addresses not defined without any issues.

    5. Thanks. I’m actually getting a 403 error like I should be, so it appears that everything is working. You may just be seeing old cached data if you are accessing it from an unallowed IP.

    6. thank you very much – i am getting 403 now on wp-admin – I typically am logging in via .com/login and it still provides access which I realize is probably outside the scope here : ) I use theme my login for style purposes and will see if it has a code box for the IP restriction. thank you.

  17. Hi Jacob,

    Thanks for making this block.

    I think my website ww.hmxmedia.com is also facing  brute force attacks.

    But first i want to share my website’s problems.

    My website is taking too long in loading even i am not able to open wordpress admin page. sometimes it open but can not go to lugin page it says this webpage is not available. using ftp also some times it connect sometimes not.the only thing i am able to work on is my hosting console panel.

    Can you please help me in this as soon as possible

    1. Hello ankur,

      Thank you for contacting us. If you suspect you are being brute-force attacked, I recommend reading our section above on Brute force protection.

      Also, for speeding up your website, please see our guide on Optimizing WordPress, as it explains many ways to speed up your site.

      Since your site is not hosted with us, I could not check your server. But, it may be helpful to contact your host when you are unable to connect. As they may be aware of known issues causing the problems.

      If you have any further questions, feel free to post them below.

      Thank you,
      John-Paul

  18. WP has a plug in for that.  I have admin blocked unless you are logged in and they can’t log in because wp-login doesn’t exist under that name so all they get are 404s.    The entire backend is blocked unless you log in.  There is no where to register because there is no need for anyone to register since I am using it as a website with no blog or comments.   It’s been downright quiet.

  19. I’ve used IP Blacklist Cloud quite successfully to block repeated attempts on a wordpress install and anyone trying to login as “admin” is automatically blocked. The IPs are stored on my site and attacked have dropped off dramatically. No. I do not work for them.

    1. No problem, Wayne! We do appreciate the feedback and the questions. Let us know if you require any further assistance.

      Regards,
      Arnel C.

  20. Thanks for the reply, JeffMa.  But, again:  I don’t understand how any of your suggestions here (in your reply to my post) would help.  The web server still has to respond to each and every request from a client, whether it’s to reject the direct POST, reject based on the IP address, or deliver a 404.  

    Is it because the brute-force perpetrator will abandon the exercise if they see 404s or other error/rejection messages?  (This would make much sense.) 

    1. We have noticed that most of the bots will cease attempts when they reach various HTTP error codes so it certainly does help.

      In addition, a request that is directly returning an error will use far less resources than WordPress fully processing the login attempt, therefore can handle 1000 403 errors much better than 1000 direct POST requests to the WordPress admin page.

  21. Not trying to be pedantic here, but how would changing the admin username/password reduce brute force ATTEMPTS…?  It might reduce the chance of success, but the bigger problem (assuming you have a strong username/password) is the CPU utilization, in which the brute-force attack becomes more of a Denial of Service attack.  

    Wouldn’t a perimeter DDOS-migration approach be more effective (and far easier)…?

  22. There is no reason to assume say that inmotion hosts get attacked any more than other hosts, and I work with over a dozen other hosting companies and none of them implement this (and I also never had a problem getting hacked, ddos, etc) So why does inmotion take such a disruptive stance on this?

    It is more inconvenient and frustrating than anything and having been a sysadmin and network admin for over a decade, I find this quite on the extreme. 

    There should be a one checkbox option on our dashboard to turn this *on* if we want to. 

    Please consider fixing this.

    1. Hello Oscar, and thanks for your comment.

      Typically our internal ModSecurity rules that protect our entire server fleet from unwanted WordPress brute force attacks, don’t interfere with normal admin login activity once a WordPress user implements their own brute force protection.

      It’s an extra level of protection to ensure not only our own customers are safe, but also making sure our customer’s aren’t unknowingly setting up an insecure WordPress install with a simple password and then our servers going out and attacking other WordPress users at other hosts.

      It’s a lot easier helping a customer protect themselves by setting up a secondary WordPress admin password, or they could change the WordPress admin url with the Lockdown WP Admin plugin. The steps to reinstall WordPress after a hack aren’t nearly as easy to follow along with, and we’ve heard this from customers so decided to be proactive in this case.

      We still see WordPress brute force attacks on a daily basis, and the typical customer doesn’t pay too much attention to their website, or have the server knowledge to make sure they are safe on their own. We are still looking for a better alternate solution that’s easier for everyone all around.

      Thanks again for your comments, and please let us know if you have any other questions.

      – Jacob

  23. Hi,

    I modified the Htaccess file and limited it to only my ip and it still blocks me out.

    This morning I was able to regain access, but when I tried again now, still blocking me again.

    I will wait 20 minutes before trying again… But this is getting anoying and it’s not the first time it happened to me.

    Could you suggest something else or try to see where is the attack coming from? Is this blocking protection only happening when someone is tryin to access the wp-admin?

     

    Thank you

    1. When blocking based on IP, only your IP would be able to even see your WordPress admin without getting a 403 error stating that permission is denied. With this block correctly in place, nobody else but you would be able to see the admin login, therefore, would never trigger your WordPress admin to be locked down to prevent brute force attacks.

      If your WordPress admin is still being blocked, it sounds like you have not placed the lines within your .htaccess file correctly. I recommend checking over your .htaccess file to ensure that the correct lines are at the top of the file. You may also check to see that it is correctly in place by attempting to access your WordPress admin from another IP address that is not defined within the .htaccess file. If you are getting a 403 Permission Denied error, the changes are in place correctly.

  24. Hello guys, I cannot get acces to the Word Press blog of the William PAterson University’s Music Biz blog. We suppose to submit an assignment today for the Music Business class and it seems that I have forgot my password:((( Are there any possible solutions??

    Thanks a lot!!!

    1. Hello fima,

      Thank you for contacting us today. You may be able to reset your Wordpess password via email, which is explained in this guide.

      If you have any further questions, feel free to post them below.
      Thank you,

      -John-Paul

    1. Hello Ratopati,

      If you are seeing this message you will want to apply one of the solutions on this page. This should help eliminate receiving this message in the future.

      Kindest Regards,
      Scott M

    2. Hello Mara,

      Thank you for the kind words! It is always nice to hear from someone who knows and appreciates the issues that hosting can bring!

      Kindest Regards,
      Scott M

    3. Hello Vicki,

      If your site admin area is being blocked you will want to perform the instructions on this page. If you are having issues after that, please reply with the specific steps you have taken so we can take a look at your individual situation.

      Kindest Regards,
      Scott M

    4. Hello Phil,

      Thank you for your comment. The solutions on this page will help with the login issue, but will have to be enacted by the owner of the website. This is because you must have access to the .htaccess for WordPress.

      If you have any further questions, feel free to post them below.
      Thank you,

      -John-Paul

  25. Am an avid reader of FreakoutNation, and was wondering how to set up a login account?

     

    Thanks for your time!

     

    Phil Palmer

    Gulf Coast USA

  26. I’m not a client, in fact I’m a competitor. You don’t need to make this comment public (if you don’t want to), I just wanted to say that Jacob, Arnel, Jeff and the other support staff are doing an AMAZING job under very difficult circumstances.

    The patience you’ve shown in dealing with some of your customers who don’t understand the value of a proactive approach to security is impressive. These are the same customers who would brerate you to no end over downtime due to a DDoS, and expect that you should have done more when they site gets hacked.

    Kudos.

  27. i couldn’t open admin
    it looks like this : WordPress Login Temporarily Disabled
    We apologize for the inconvenience! You are seeing this message because your site has recently been targeted by attackers attempting to gain access to your WordPress Dashboard. In order to protect your site your WordPress Login page has been temporarily disabled.
    Unfortunately, you will be unable to login to the Dashboard until the block expires.

  28. We are changing hosting once our term is up. I support two other clients that are on other hosting services and I implement solutions for security that eliminates most risk. But, supporting this one client when they continuously cannot log in is not a sustainable choice for us. My recommendation for WP will never be to use your hosting service unless you change this. I would recommend a less hands-on approach. Help people WHEN they get hacked. Give ways of preventing, but don’t limit access. It’s just bad business.

    Do what you like, that’s just my advice.

    1. Hello Thomas, and thanks for your comment.

      While not an ultimate solution by any means, I would recommend changing your WordPress admin URL if you are experiencing WordPress brute force attacks, as more than likely the majority of the bots hitting you are simply sending blind requests to the default admin URL.

      Sure some bots could potentially find your hidden URL, but you could be wasting resources needlessly on 90% of the dumb bots that try to hit your WordPress site. It’s a very easy if you’ve changed your URL to then review WordPress login attempts and just look for IPs or User-Agents hitting your hidden URL. You would know then they’re bots for sure if they aren’t you, and can manually block them with your .htaccess rules.

      You could rely on a plugin to help keep bots out, but this requires a PHP script execution for each and every request typically, which could lead to higher CPU usage if you’re under attack. Using your own custom .htaccess rules to limit access is highly recommended as mentioned in this article we recommend limiting WordPress admin access with them, or setting up a secondary WordPress admin password to help keep bots out.

      In regards to the Big Brother aspect of a web host stepping in and protecting their customers, unfortunately in this case it is an unfortunate necessity. I’d guess that probably 1% of our own WordPress customers if that enact their own WordPress admin protection on their own. So we step in for the security of our server population, and to make sure we aren’t hosting hacked WordPress accounts that then go off and attack other WordPress sites.

      It wouldn’t be fair to let 10 WordPress sites on the same server as yourself just sit there and use up server resources over and over until the owners decided to protect themselves. Most customers after implementing their own WordPress security will stop triggering our internal security ModSecurity rules, and we can disable it altogether on an individual customer basis if they continue to have problems with it.

      I couldn’t find an account with us based off your email, but if you were having any issues with our security rules locking you out of WordPress please let us know!

      – Jacob

    2. Hello again Thomas,

      Sorry to hear that. I’ve worked with hundreds of our customers to try to clear up any problems they’ve been having with WordPress brute force issues, and I’d be glad to help you out if you’re still having problems. It’s usually a matter of reviewing their logs, ensuring they aren’t under constant attack, making sure they have their WordPress site protected, and then we can disable our ModSecurity rules for them. You can comment here with any account info and it won’t go public until we remove any private data and approve the comment if you’d like me to take a look into an account for you.

      We do help customers when they get hacked, and in this case our approach is proactive. The largest scale brute force attack against WordPress had occurred back in April 2013 when I first wrote this guide and it continues to come in waves here and there which I’ve always noticed in the Google traffic to this guide spiking as people search for help.

      We limit access, because most WordPress website owners don’t pay attention to the security of their site. It’s a lot easier to prevent the hacks from happening in the first place then having to reinstall WordPress after a hack.

      Sorry for any frustrations, I can tell you on both sides of the coin this isn’t a fun problem to deal with.

      – Jacob

  29. Changing your login location is not a recommended practice as bots can still find you. It’s better to take an action-based approach. Plus, I don’t like any hosting service taking my sites security over and limiting my access. It’s a little bit like Big Brother. I have a plugin that adds a captcha at login that eliminates almost all attempts for bots to log in. So, this feature of disabling the wp-admin login is really not needed at all. Plus, I use custom .htaccess rules to take action on bots or suspected ones.

  30. Jacob, I’m a mere mortal running his business 🙂 who would like some expert help to just solve this problem for me. Something you’d be willing and able to do? If so, pls email me and thanks…

    1. Hello Bob, I’d be glad to help!

      I went ahead and removed your email from this post before making it public, and sent you a separate email with further details specific to your account’s WordPress login issues.

      If you’re still having any issues at all, feel free to comment here again or just reply to my email directly!

      – Jacob

    1. Hello Noah,

      I went ahead and implemented secondary WordPress admin protection for you.

      You can get in with:

      Username: noah
      Password: wordpress

      If you’d like to setup a different user, in cPanel just go to Password Protected Directories and then click on your wp-admin folder and you should see the Create User section towards the bottom.

      I’ve also gone ahead and disabled our WordPress ModSecurity rules for your domain now that this secondary password protection is setup.

      Sorry for any issues, please let us know if you have any further problems!

      – Jacob

  31. Hello,

    This is an excellent guideline and I have taken all precautions as suggested here. I have one query though which I tried to get resolved through your mail support but could not get satisfactory answer and hence am posting it here:

    1. Won’t locking down of WP admin area to this extend will lead to attacks on cpanel ?

    2. Why  there are no provisions to lock-down cpanel to this extend ?  eg. provision similar to that given by HC Custom WP-Admin URL plugin, or cascaded login where second login will have a onetime password sent to a pre-registered email ID, or cascaded login with Google/Facebook/Stackexchange login IDs ?

    3. Your representative told me that since cpanel login is done through a secured server it is not prone to attacks. I am not sure what makes this hold true ? Can anyone please elaborate more ?

    Thanks and Regards,

    Tekihcan

    1. The WordPress brute force attacks are targeted specifically at WordPress and are blingly firing at every WordPress site that their bots find, so the attackers are not going any further than WordPress at the moment as their bots are not configured to attempt multiple locations. As they are unsure of what you are running on the back end, the bots don’t even try to access any other services other than WordPress.

      Currently, cPanel does not support any form of 2-factor authentication at the moment. Although they may build it in at some point, we are unaware of any plans of them to release it. When they do, we may indeed implement it on our servers.

      We have brute force protection on all of our servers to keep cPanel secure. Repeated login attempts to cPanel will result in a blocking of the IP from the server. I cannot provide you with much more than that regarding the security practices of the servers, but rest assured that they are monitored 24/7 and we do our best to keep your information secure on the server side of things.

  32. I’m not a customer, but a client is. He’s asked me to implement your suggestions, but most either don’t work or become way too cumbersome. I hit on an easier solution.

    Create a new php script in the main folder. Name it anything you want. Inside the folder use the following code…

    <?
    setcookie(“MyLogin”, ‘valid’);
    header(‘Location: /wp-login.php’);
    ?>

    You can change “MyLogin”, actually it’s better that you do, to reduce the chance of someone spoofing the cookie.

    At the very top of wp-login.php, just below the <?php add…

    if($_COOKIE[‘MyLogin’]!=’valid’)
      {
      exit();
      }

    …make sure “MyLogin” matches what you set the cookie to in the first script.

    If someone loads wp-login.php without first going to the other script and having the cookie set, then all they get is a blank page. Access the first script to log in.

    1. Hello Danny, and thank you for your suggestion.

      Implementing a Cookie check within the wp-login.php script like you’ve shown, could be a viable option for trying to ensure that an attacker doesn’t get a valid login from being able to POST to your wp-login.php script.

      Unfortunately, if your WordPress site is under a brute force attack, there will still be POST attempts sent to the wp-login.php script from the attacker. The attacker is not going to first try going to the main site, they will just directly POST to wp-login.php. So our internal ModSecurity rules could still kick in if you’re only using a cookie checking method to limit access.

      The best sure fire way we’ve seen for limiting access to your WordPress admin dashboard is to use a secondary .htaccess password and still allow requests to /wp-admin/admin-ajax.php for plugins.

      Doing it this way, a POST request can not even be attempted on the wp-login.php script from the outside, because it’s being blocked at the .htaccess level, and not allowing the request at all to come in and fire up PHP to run a cookie check to determine if it’s a valid POST attempt or not.

  33. Jacob,
    It’s Charles, but no big deal.
    I actually meant “HC Custom WP-Admin URL”, not “custom registration link”, but I couldn’t find any way to edit my comment. Please change this for others searching this forum, if possible.

    1. Hello again Charles, my apologies on the name mix-up.

      I went ahead and updated your comment, and if anyone else runs across this guide as well, I do also have another guide on the WPS Hide Login plugin that you mentioned.

      Please let us know if you find any other helpful plugins or methods for helping manage your WordPress security.

  34. I had installed the “HC Custom WP-Admin URL” WordPress plugin and have been adding additional configuration to my htaccess file over the last few days after experiencing a brute force attempt on my wordpress site.

    Unfortunately, the “HC Custom WP-Admin URL” plugin does not play nice with some other plugins, and most importantly to me, was causing the styling on my registration page to not load. I manually changed my htaccess file to address this, but it was a pain, and I know that I would probably have to replace this htaccess file any time I would update WordPress in the future.

    This morning, I found the “Better WP Security” plugin. This allows you to change your login, admin, and registration links to whatever you specify. It also works seamlessly with my other plugins and allows the registration styling to load properly. It has many configuration options that allow you to better secure your site and protect against attacks. It modifies your htaccess file cleanly in one section all from the plugin settings database and has an easy to understand, color coded dashboard that allows you to see what features you have enabled along with the protection gained from each.

    I highly recommend this plugin, and I cannot thank the author enough for writing and maintaining such an excellent tool.

    1. Hello Charles, thank you for your comment.

      I took a look at the WordPress Custom Registration Link plugin, and it does look that could be a helpful plugin if you’re having issues with fake WordPress registration attempts, and not just logins. But please note that plugin seems to not have been updated for over 2 years, so users might experience issues with it.

      Like you mentioned the WordPress Better WP Security plugin is a great robust security plugin, in most cases it can be overkill for your general WordPress user though.

      Thanks again for your recommendations, and let us know if you run across any others.

  35. Hi
    changing the admin name does not solve anything as one can call any wordpress site by author id revealing the new admin name,
    https://yourwebsite.com/?author=1
    those are bogus and temp solutions. You need to change the admin name and disable the author pages or at least create a huge users database and hide the admin within those.
    Best regards,
    BackuPs

    1. Hello BackuPs,

      As these brute force attacks are completely bot generated, changing the admin username will indeed help as they are not checking for a username on the site, but just simply trying to log in under the username of “admin” regardless of what the actual username is.

    2. Hello BackuPs,

      As Jeff had mentioned, these brute force attacks are typically carried out by bots which won’t go the extra step of trying to discover your admin user from any author pages.

      If your admin user was ID number 1, and you wanted to block anyone from being able to call their pages at all, you could simply add this to the top of your WordPress .htaccess file:

      RewriteEngine On
      RewriteCond %{QUERY_STRING} ^author=1
      RewriteRule .* – [F,L]

      This would deny any requests for example.com/?author=1 with a 403 Access Denied error.

      Ultimately it would be best to limit access to the WordPress admin dashboard altogether, so that even if someone did know your admin username they wouldn’t be able to attempt logging in.

  36. Hi, i have a really dumb problem here…

    I changed my admin password yesterday and forget to give the new one to a guy who works with it. The guy tried to login with the old password a lot of times and now the account is blocked for 24 whole hours! 

     

    Can i do something to fix it right now? 🙁

Was this article helpful? Join the conversation!