Title: Brute Force
Last modified: August 21, 2016

---

# Brute Force

 *  Resolved [mrppp](https://wordpress.org/support/users/mrppp/)
 * (@mrppp)
 * [12 years, 5 months ago](https://wordpress.org/support/topic/brute-force-1/)
 * If i do not have a static IP address. and i want to block all login attemps i.
   e i do not want anyone registering or login to my site (apart from me)Should 
   i use the following code in CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/
   BLOCK BOTS/BLOCK IP/REDIRECT CODE
 *     ```
       # Protect wp-login.php from Brute Force Login Attacks based on Server Protocol or IP
       # All legitimate humans and bots should be using Server Protocol HTTP/1.1
       RewriteCond %{REQUEST_URI} ^/wp-login\.php$
       RewriteCond %{THE_REQUEST} HTTP/1\.0 [OR]
       RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.$
       RewriteRule ^(.*)$ - [F,L]
       ```
   
 * [http://wordpress.org/plugins/bulletproof-security/](http://wordpress.org/plugins/bulletproof-security/)

Viewing 11 replies - 1 through 11 (of 11 total)

 *  Thread Starter [mrppp](https://wordpress.org/support/users/mrppp/)
 * (@mrppp)
 * [12 years, 5 months ago](https://wordpress.org/support/topic/brute-force-1/#post-4425508)
 * maybe not 403 Forbidden Error Page on logout
 * maybe this remove the ip address seems to work
 *     ```
       # Protect wp-login.php from Brute Force Login Attacks based on Server Protocol
       # All legitimate humans and bots should be using Server Protocol HTTP/1.1
       RewriteCond %{REQUEST_URI} ^/wp-login\.php$
       RewriteCond %{THE_REQUEST} HTTP/1\.0
       RewriteRule ^(.*)$ - [F,L]
       ```
   
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [12 years, 5 months ago](https://wordpress.org/support/topic/brute-force-1/#post-4425560)
 * Source: [http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/](http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/)
 * > # Add your Public IP Address using 2 or 3 octets so that if/when
   >  # your IP
   > address changes it will still be in your subnet range. If you # have a static
   > IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50.
   > 4 octets: 65.100.50.1 Allow from 65.100.50.
 *  Thread Starter [mrppp](https://wordpress.org/support/users/mrppp/)
 * (@mrppp)
 * [12 years, 5 months ago](https://wordpress.org/support/topic/brute-force-1/#post-4425561)
 * So use `# Protect wp-login.php from Brute Force Login Attacks based on Server
   Protocol or IP
    # All legitimate humans and bots should be using Server Protocol
   HTTP/1.1 RewriteCond %{REQUEST_URI} ^/wp-login\.php$ RewriteCond %{THE_REQUEST}
   HTTP/1\.0 [OR] RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.$ RewriteRule ^(.*)
   $ – [F,L]` and this bit ` RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.$`
 * as you mention above use two octets
 *  Thread Starter [mrppp](https://wordpress.org/support/users/mrppp/)
 * (@mrppp)
 * [12 years, 5 months ago](https://wordpress.org/support/topic/brute-force-1/#post-4425562)
 *     ```
       # Protect wp-login.php from Brute Force Login Attacks based on IP Address
       <FilesMatch "^(wp-login\.php)">
       Order Allow,Deny
       # Add your website domain name
       Allow from example.com
       # Add your website/Server IP Address
       Allow from 69.200.95.1
       # Add your Public IP Address using 2 or 3 octets so that if/when
       # your IP address changes it will still be in your subnet range. If you
       # have a static IP address then use all 4 octets.
       # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1
       Allow from 65.100.50.
       </FilesMatch>
       ```
   
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [12 years, 5 months ago](https://wordpress.org/support/topic/brute-force-1/#post-4425564)
 * You can use the original code you posted and then use either 2 or 3 octets depending
   on how many octets your ISP dynamically changes in your IP address. Usually you
   can use 3 octets and the 4th octet is the only thing that changes.
 *  Thread Starter [mrppp](https://wordpress.org/support/users/mrppp/)
 * (@mrppp)
 * [12 years, 5 months ago](https://wordpress.org/support/topic/brute-force-1/#post-4425565)
 * this gave a 403 error
 *     ```
       # Protect wp-login.php from Brute Force Login Attacks based on Server Protocol or IP
       # All legitimate humans and bots should be using Server Protocol HTTP/1.1
       RewriteCond %{REQUEST_URI} ^/wp-login\.php$
       RewriteCond %{THE_REQUEST} HTTP/1\.0 [OR]
       RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.$
       RewriteRule ^(.*)$ - [F,L]
       ```
   
 * but this was ok
 *     ```
       # Protect wp-login.php from Brute Force Login Attacks based on Server Protocol or IP
       # All legitimate humans and bots should be using Server Protocol HTTP/1.1
       RewriteCond %{REQUEST_URI} ^/wp-login\.php$
       RewriteCond %{THE_REQUEST} HTTP/1\.0 [OR]
       RewriteRule ^(.*)$ - [F,L]
       ```
   
 * is the latter what you refer to as Server Protocol based Brute Force Login Protection
   code
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [12 years, 5 months ago](https://wordpress.org/support/topic/brute-force-1/#post-4425568)
 * did you add your IP address?
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [12 years, 5 months ago](https://wordpress.org/support/topic/brute-force-1/#post-4425569)
 * This is the code we use on several testing websites. You do not even need to 
   use the Server Protocol condition if you are blocking by IP address since only
   your IP address range is allowed to access the Login page.
 *     ```
       # Protect wp-login.php from Brute Force Login Attacks
       <FilesMatch "^(wp-login\.php)">
       Order Allow,Deny
       # Add your Domain
       Allow from ait-pro.com
       # Add your Server/Website IP Address
       Allow from 173.201.92.1
       # Add your Public/ISP IP Address
       Allow from x.x.x.
       </FilesMatch>
       ```
   
 *  Thread Starter [mrppp](https://wordpress.org/support/users/mrppp/)
 * (@mrppp)
 * [12 years, 5 months ago](https://wordpress.org/support/topic/brute-force-1/#post-4425570)
 * thanks so `Allow from 173.201.92.1` is my server IP (ip obviously different)
 * and this `Allow from x.x.x.` my ip with two or three octets
    say eg `Allow from
   31.53.`
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [12 years, 5 months ago](https://wordpress.org/support/topic/brute-force-1/#post-4425572)
 * Yes, that is our Server/Website IP address. Add your Server/Website IP address
   instead. You will find that on the BPS System Info page.
 * Yes, that is 2 octets.
 *  Thread Starter [mrppp](https://wordpress.org/support/users/mrppp/)
 * (@mrppp)
 * [12 years, 5 months ago](https://wordpress.org/support/topic/brute-force-1/#post-4425573)
 * thanks will try that out

Viewing 11 replies - 1 through 11 (of 11 total)

The topic ‘Brute Force’ is closed to new replies.

 * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938)
 * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/)
 * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/)
 * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/)

 * 11 replies
 * 2 participants
 * Last reply from: [mrppp](https://wordpress.org/support/users/mrppp/)
 * Last activity: [12 years, 5 months ago](https://wordpress.org/support/topic/brute-force-1/#post-4425573)
 * Status: resolved