Protect your WordPress Login against Brute-Force Attack for customers with Linux VPS with Plesk

For all of our customers that have Linux VPS with Plesk, below you can find how to further protect your WordPress site by creating an additional barrier to your wp-login page.wordpress-secure

1. The first step is to create a user that will have access to your wp-login page. These login details are created in the ‘pd’ directory of your domain since all the passwords should be created there.

In order to create this user, log in to your VPS via SSH as root and write in the command line:

htpasswd -c /var/www/vhosts/yourdomain/pd/.htpasswd wpuser

use ‘-c’ only if the file is not existing or you want to overwrite the information in it. If you want to add more users to this file, you can use the same command, but without the ‘-c’:

htpasswd /var/www/vhosts/yourdomain/pd/.htpasswd wpuser1

After you hit ‘Enter’, you will be asked to enter the password. Since the idea of this additional layer is to protect your site, make sure you choose a strong password. You should see the following lines in a sequential order (after you have entered the required information and have pressed ‘Enter’):

New password:
Re-type new password:
Adding password for user wpuser

2. The second step is to modify the .htaccess file for WordPress in order to specify which user will have access to the wp-login page.

With the command below, even if the file is not existing, it will be created.

nano /var/www/vhosts/yourdomain/httpdocs/wordpress/.htaccess

* Instead of nano you can use any other text editor that you feel comfortable with.

Make sure that you have pointed the correct path to your wordpress folder in the path above. Once you have opened the .htaccess file, you should replace the existing content, if any, with the one provided below.

<Files “wp-login.php”>
AuthType Basic
AuthName “WordPress Login
AuthUserFile “/var/www/vhosts/yourdomain/pd/.htpasswd”
require valid-user

This will indicate that for the file wp-login only the users in the .htpasswd file are eligible to have access. Save this file and you should be prompted to enter the login details you have just created when you try to access your WordPress admin area. That’s it! Two easy steps and your admin area is protected with additional shield.

Your comments are always welcomed, so please share them with us in the section below.


MH Support Team

Leave a Reply

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.