Title: Secure WP-Login.php
Last modified: August 30, 2016

---

# Secure WP-Login.php

 *  Resolved [BLichtenwalner](https://wordpress.org/support/users/blichtenwalner/)
 * (@blichtenwalner)
 * [10 years, 5 months ago](https://wordpress.org/support/topic/secure-wp-loginphp/)
 * Great plugin – thank you for providing this, AIT Pro!
    I’m sure i just missed
   this somewhere, but I searched all over and can’t find the solution.
    - **Problem**: Admin account is constantly locked by brute force attackers.
    - **Solutions Tried: **I successfully secured the wp-admin folder. However, 
      it seems the attackers bypass it by hitting wp-login.php directly.
 * Question: How can I secure the wp-login.php file with an extra layer, such as
   you’ve suggested for the wp-admin folder?
 * [https://wordpress.org/plugins/bulletproof-security/](https://wordpress.org/plugins/bulletproof-security/)

Viewing 10 replies - 1 through 10 (of 10 total)

 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [10 years, 5 months ago](https://wordpress.org/support/topic/secure-wp-loginphp/#post-6818408)
 * Are you using the WordPress default “admin” Administrator user account? All spambots
   and hackerbots try to Brute Force Login attack the WordPress default “admin” 
   Administrator user account first. If you are using the default “admin” user account
   then create a new WordPress Administrator user account, log out of your site,
   login with that new Administrator user account and delete the default “admin”
   user account. IMPORTANT: Be sure to associate all Posts with your new Administrator
   user account or they will be deleted.
 * Things you can do to protect publicly displayed usernames, not exposing author
   names/user account names, etc.
    [http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/](http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/)
   [http://forum.ait-pro.com/forums/topic/user-account-locked/](http://forum.ait-pro.com/forums/topic/user-account-locked/)
   [http://forum.ait-pro.com/forums/topic/revealing-the-admin-or-editor-user-name-and-not-knowing/](http://forum.ait-pro.com/forums/topic/revealing-the-admin-or-editor-user-name-and-not-knowing/)
   [http://forum.ait-pro.com/forums/topic/wordpress-author-enumeration-bot-probe-protection-author-id-user-id/](http://forum.ait-pro.com/forums/topic/wordpress-author-enumeration-bot-probe-protection-author-id-user-id/)
 *  Thread Starter [BLichtenwalner](https://wordpress.org/support/users/blichtenwalner/)
 * (@blichtenwalner)
 * [10 years, 5 months ago](https://wordpress.org/support/topic/secure-wp-loginphp/#post-6818496)
 * Thanks for the quick reply, but no I am not using the default account. I created
   my own. Clearly their scripts have found that one so I may create a new account.
   However, I’d like to block them from even being able to hit the wp-login.php 
   without being challenged, like we can do with the wp-admin folder. Is that possible?
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [10 years, 5 months ago](https://wordpress.org/support/topic/secure-wp-loginphp/#post-6818503)
 * Are you the only person who logs into this site? Do you allow anyone to register,
   login and post comments on your site?
 *  Thread Starter [BLichtenwalner](https://wordpress.org/support/users/blichtenwalner/)
 * (@blichtenwalner)
 * [10 years, 5 months ago](https://wordpress.org/support/topic/secure-wp-loginphp/#post-6818552)
 * It’s pretty much just me. Occasionally I grant others access, but it’s rare. 
   Comments are all done through Disqus.
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [10 years, 5 months ago](https://wordpress.org/support/topic/secure-wp-loginphp/#post-6818553)
 * Not sure if Disqus needs access to your login page or not so that could be a 
   problem if you use this method/code below. Whitelisting/allowing only certain
   IP addresses to access your Login page by IP address means that only the IP addresses
   that you whitelist/allow will be able to view/access your Login page.
 * Source: [http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/](http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/)
 *     ```
       # Protect wp-login.php from Brute Force Login Attacks based on IP Address
       <FilesMatch "^(wp-login\.php)">
       Order Allow,Deny
       # Add your Public IP Address using 2 or 3 octets so that if/when
       # your IP address changes it will still be in your subnet range. If you
       # have a static IP address then use all 4 octets.
       # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1
       Allow from 65.100.50.
       </FilesMatch>
       ```
   
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [10 years, 5 months ago](https://wordpress.org/support/topic/secure-wp-loginphp/#post-6818554)
 * Steps to add the IP based Login page protection code above to BPS Custom Code:
   
   1. Add whichever Brute Force Login Protection Code you want to use in this BPS
   Root Custom Code text box: CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION: 2. 
   Click the Save Root Custom Code button 3. Go to the Security Modes page, click
   the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof
   Mode again.
 *  Thread Starter [BLichtenwalner](https://wordpress.org/support/users/blichtenwalner/)
 * (@blichtenwalner)
 * [10 years, 5 months ago](https://wordpress.org/support/topic/secure-wp-loginphp/#post-6818555)
 * Thanks! I’m sure this will work. Unfortunately, I am mobile a lot – often on 
   the road. So I’d rather not leave it to whitelist. Is there no way to password
   protect wp-login.php?
 * Sorry if I am being difficult… 🙂
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [10 years, 5 months ago](https://wordpress.org/support/topic/secure-wp-loginphp/#post-6818557)
 * I understand what you are looking for, but technically wp-login.php is the password
   protection form to get into the wp-admin folder/WP Dashboard. In other words,
   they are one and same thing. ie you cannot get into wp-admin without first entering
   login credentials into the wp-login.php password protection form.
 * Have you tried the simplest method of creating an additional WordPress Administrator
   user account and ONLY using it for logging into your website and nothing else?
   That usually works to prevent that Admin account from ever being locked since
   that Admin account is not exposed or displayed publicly on the frontend of your
   website as long as you NEVER use that Admin account to post a comment or create
   a Post or Page.
 * A CAPTCHA usually stops most if not all automated bot login processing, but not
   all CAPTCHA’s/CAPTCHA plugins are effective. We use BPS Pro JTC Anti-Spam|Anti-
   Hacker, which is a CAPTCHA feature and some other things that is 100% effective
   at blocking 100% of all bots. So due to a conflict of interest I cannot recommend
   another CAPTCHA plugin for you to try.
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [10 years, 5 months ago](https://wordpress.org/support/topic/secure-wp-loginphp/#post-6818615)
 * Did this answer all of your questions? If so, please resolve this thread. If 
   not, please post any additional questions you may have. Thanks.
 * Thread Start Date: 12-5-2015
    Current Date: 12-9-2015
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [10 years, 5 months ago](https://wordpress.org/support/topic/secure-wp-loginphp/#post-6818626)
 * Assuming all questions have been answered – thread has been resolved. If you 
   have additional questions about this specific thread topic then you can post 
   them at any time. We still receive email notifications when threads have been
   resolved.
 * Thread Start Date: 12-5-2015
    Thread Resolved/Current Date: 12-10-2015

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Secure WP-Login.php’ is closed to new replies.

 * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938)
 * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/)
 * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/)
 * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/)

## Tags

 * [BPS](https://wordpress.org/support/topic-tag/bps/)

 * 10 replies
 * 2 participants
 * Last reply from: [AITpro](https://wordpress.org/support/users/aitpro/)
 * Last activity: [10 years, 5 months ago](https://wordpress.org/support/topic/secure-wp-loginphp/#post-6818626)
 * Status: resolved