Block spammers/hackers from trying to log into your WordPress

Typically you’ll see your site being blown up with requests to wp-login.php.  If you don’t have remote editors adding content, you can just block the requests from all but your IP address or network range, or ISP if you really have to open it up a bit.  You probably already have a .htaccess file in the root directory, or your wordpress install directory.  Add this:

AuthType Basic
AuthName "Wordpress"
AuthUserFile /path/to/password/file/passwordfile.txt
<Files wp-login.php>
require valid-user

You’ll need to adjust the path to the password file, named “passwordfile.txt” for simplicity in this example.  I recommend not putting the file in your document directory; i.e. if your html content goes in /var/www/html/ then create a new directory at that level, such as /var/www/data/ and put the file there.

In the file, you’ll put an encrypted username and password.  You can generate this file yourself via command line if you have that type of access to your server.  The program you’d use is htpasswd which should be present on nearly any Apache-using server.  The specific command would be:

htpasswd -c /var/www/data/passwordfile.txt username

Just change the path, filename and username to match whatever you intend on using.

If you don’t have command line access, or don’t feel comfortable with that, use this online password generator:

Just put your desired username and password and it will give you back the correct data to put in your password file.  Don’t worry about submitting that info to some random website; they have no idea where you intend to use the username and password.  For good practice, you should of course not use the same credentials you’d use anywhere else.

Leave a Reply

Your email address will not be published. Required fields are marked *