Brute Force

Defeat wp-login.php Brute Force Attack By Whitelist IP in .htaccess


In dealing WordPress Login (wp-login.php) brute force attack, previously, I recommend changing username & password as mentioned in WordPress Brute Force Attack – Change Username/Login ID post.

For Cloudflare users, you may block the login page for other visitors from other country except yours as mention in Defeat wp-login.php Brute Force Attack Using Cloudflare & .htaccess. However, this method has there are some limitation where you must use Cloudflare services & not many attack originated from your country.

Another method is by whitelisting your IP. If your IP is dynamic, you may want to find out your IP ranges.

After that add the code below in your “.htaccess” file and replace the “allow from XXX.XXX.XXX.XXX/XX with your IP ranges.

<FilesMatch "wp-login.php">
 order deny,allow
 deny from all
 allow from XXX.XXX.XXX.XXX/XX
 allow from YYY.YYY.YYY.YYY/YY
 allow from ZZZ.ZZZ.ZZZ.ZZZ/ZZ
</FilesMatch>

Defeat wp-login.php Brute Force Attack Using Cloudflare & .htaccess


In dealing WordPress Login (wp-login.php) brute force attack, previously, I recommend changing username & password as mentioned in WordPress Brute Force Attack – Change Username/Login ID post.

It does help to prevent the hacker to gain access, but the attack caused another problem as it consumed a large amount of server resources. Plugins such as Brute Force Login Protection may assist you to block the IPs after a number of wrong attempts. However, some of the hackers have large numbers of IPs, from hundreds to thousands of IPs. I encounter this problem & really taxing my server resources similar to DDOS attack.

While looking for better alternative to solve this problem, I found out that if you are using Cloudflare, the request headers contain the country code of the visitor’s origin. The header I’m talking about is the “HTTP_CF_IPCOUNTRY”.

What you to do is to allow only visitors from certain country to access “wp-login.php” file by using “HTTP_CF_IPCOUNTRY” header  and “.htaccess” file.

The example below is only allow visitors from United States & Canada. Change the country code in the third line to make it applicable to your locations.

 <FilesMatch "wp-login.php">
  RewriteEngine on
  RewriteCond %{HTTP:CF-IPCOUNTRY} !^(US|CA)$
  RewriteRule ^ - [F,L]
 </FilesMatch>

Page 1 of 212