Protect your WordPress Login against Brute-Force Attack

The solution described below (applies for All cPanel based hosting accounts) will provide you with an additional password for your wp-login page – which would increase your defense against brute force attacks significantly.

1. Log in to your cPanel and find the icon ‘Password Protect Directories’ which you can find under your Security section


2. Once you have clicked on the icon above, the following window will be shown


Make sure that you select the correct option. If you have installed your WP blog in your main domain, then select ‘Web Root’, if you have set it under an addon or subdomain, then you will have to select it from the drop down menu under ‘Document Root for’

3. When you have selected the domain where the blog is hosted, you will see a screen with the different paths


If the blog is in your public_html, then this is the path you should choose. If the blog is situated in a different folder, you will be able to see this folder under public_html and by clicking on it, you will make it the current folder. For example it might look like /public_html/blog.

4. On the bottom of the next page you will see an option to create new web user. This is the user that will have access to the wp-login page, and is preferable to select it first, and then to secure the folder. Follow the good practices of selecting a good password, when creating the password for this new web user (i.e. upper & lower case characters, at least 8 chars long, include some special symbols like %,$). In our example case we have used the Password Generator option in order to pick a password – which we highly recommend.


5. Once you create the user, the next step is to protect the directory. You do this by clicking on the ‘Password protect this directory’ option. You should choose a name, and click Save. At this point the directory becomes password protected, and there is only one small addition that should be executed in order to protect only the wp-login.php.


6. Go back to your ‘Home’ space in the cPanel and under ‘Files’ you will find your File Manager.


7. Click on it, and select the path to start with. It is recommended to choose the path closest to the folder in which you have installed your blog. Make sure that the ‘Show Hidden Files’ option is checked, since it will allow you to change your .htaccess files, which is exactly what we are going to do.


8. Find the .htaccess file for your blog, and via right click you will open the menu allowing you to make changes to the file. Click on ‘Edit’ in order to be able to edit the content of this file.


9. From the opened screen, find the following rows

AuthType Basic
AuthName “WordPress Login”
AuthUserFile “/home/yourcPanelusername/.htpasswds/public_html/passwd”
require valid-user
and replace them with

<FilesMatch “wp-login.php”>
AuthType Basic
AuthName “WordPress Login”
AuthUserFile “/home/yourcPanelusername/.htpasswds/public_html/passwd”
require valid-user

NOTE: Make sure that when you copy/paste you replace your cPanel username, path to your password file with your actual username and path to your blog.

Now try to login to your WordPress login page. You should be asked for user and password. Once you enter the login credentials you have just created in the cPanel, you will be forwarded to your login page.

Congratulations! You have just created an additional shield to your WordPress site.


MH Support Team

Leave a Reply

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.