Defeat wp-login.php Brute Force Attack Using Cloudflare & .htaccess

In dealing WordPress Login (wp-login.php) brute force attack, previously, I recommend changing username & password as mentioned in WordPress Brute Force Attack – Change Username/Login ID post.

It does help to prevent the hacker to gain access, but the attack caused another problem as it consumed a large amount of server resources. Plugins such as Brute Force Login Protection may assist you to block the IPs after a number of wrong attempts. However, some of the hackers have large numbers of IPs, from hundreds to thousands of IPs. I encounter this problem & really taxing my server resources similar to DDOS attack.

While looking for better alternative to solve this problem, I found out that if you are using Cloudflare, the request headers contain the country code of the visitor’s origin. The header I’m talking about is the “HTTP_CF_IPCOUNTRY”.

What you to do is to allow only visitors from certain country to access “wp-login.php” file by using “HTTP_CF_IPCOUNTRY” header  and “.htaccess” file.

The example below is only allow visitors from United States & Canada. Change the country code in the third line to make it applicable to your locations.

 <FilesMatch "wp-login.php">
  RewriteEngine on
  RewriteCond %{HTTP:CF-IPCOUNTRY} !^(US|CA)$
  RewriteRule ^ - [F,L]

How to Install WordPress?

WordPress blogging platform is well-known for its ease of installation even for beginner. The process should be very simple and should takes less than five minutes to complete.

This guide assume you are using Linux Hosting with cPanel & you have your own domain.

Step 1:- Add Domain to your cPanel Account

  1. You may skip this step is the domain already in your cPanel account.
  2. Log in to your cPanel.
  3. Click Addon Domains icon
  4. Enter your domain name, sub-domain/FTP Username & password.
  5. Remember the Document Root folder.
  6. Click Add Domain button.

Step 2:- Download & Extract WordPress Files

  1. Download the latest wordpress archive at http://wordpress.org/latest.zip to your computer.
  2. In cPanel account click on File Manager icon
  3. Browse to folder as per STEP 1 (5) above.
  4. Click Upload icon & upload the file download in (1) above.
  5. When done, select the file & click Extract icon.
  6. Browse to wordpress subfolder & click Select All
  7. Click Move icon & enter folder as per STEP 1 (5) above.
  8. When done, you may remove wordpress sub-folder.

Step 3:- Create MySQL Database

  1. In cPanel account click on MySQL Database icon.
  2. Enter database name & click Create Database button.
  3. On the same page, browse to the end & assign user to database created in (2) above.
  4. Click Add button.
  5. Tick All Privileges check-box & click Make Changes button.

Step 4:- Installation

  1. By using web browser, navigate to your domain.
  2. Click on Create Configuration File button.
  3. Click Let’s go button
  4. Enter Database name, username & password as per STEP 3. You may leave database host & table prefix as it is.
  5. Click Submit button.
  6. Click Run The Install button
  7. Enter Site Title, Username, Password, e-mail & tick Allow Search Engine to Index this site check-box.
  8. Click Install WordPress button.
  9. Installation done.
  10. You may log-in to WordPress back-end by Clicking Log in button.
  11. Start blogging!!