Support » Fixing WordPress » Brute force attack

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator James Huff


    Brute-force attacks last for a while, but never forever. I have mitigated most of the ones directed towards me with the following in my .htaccess file:

    <IfModule mod_rewrite.c>
    	RewriteEngine On
    	RewriteCond %{REQUEST_METHOD} POST
    	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
    	RewriteCond %{HTTP_REFERER} !.*(|* [OR]
    	RewriteCond %{HTTP_USER_AGENT} ^$
    	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

    Just replace “” with your domain, and if you aren’t using Jetpack Comments, remove “|”.

    This prevents bots from directly hitting wp-login.php and wp-comments-post.php, which is how most bot-based brute-force and comment-spam attacks are carried out.

    You can add additional protection with brute-force plugins, like

    A word of warning, start with the .htaccess change. If you put the full load of the brute-force attack on a plugin, you will actually be doing more harm than good, as WordPress must now process every attempt to decide if it is brute-force. If you start with the .htaccess change, you will block most brute-force attacks at the gates and leave the plugin to catch any that got through.

    Good advice @mac
    After you have addressed .htaccess you need to add a security plugin.

    There are many security plugins like “wordfence” and “All in one WordPress security” among others that help with brute force attacks. Suggest that you install one of these. My experience with attacks is that they come in cycles, you run hot, then you run cold.

    Thank you for your help. If I use this .htacess code, will I need to login myself in a different way?

    Also I installed Securi, that’s how I know I’m getting so many failed logins.

    Moderator James Huff


    Yes, make sure you log in from and don’t go to wp-login.php directly, sorry for not mentioning that!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Brute force attack’ is closed to new replies.