Defeat wp-login.php Brute Force Attack Using Cloudflare & .htaccess

In dealing WordPress Login (wp-login.php) brute force attack, previously, I recommend changing username & password as mentioned in WordPress Brute Force Attack – Change Username/Login ID post.

It does help to prevent the hacker to gain access, but the attack caused another problem as it consumed a large amount of server resources. Plugins such as Brute Force Login Protection may assist you to block the IPs after a number of wrong attempts. However, some of the hackers have large numbers of IPs, from hundreds to thousands of IPs. I encounter this problem & really taxing my server resources similar to DDOS attack.

While looking for better alternative to solve this problem, I found out that if you are using Cloudflare, the request headers contain the country code of the visitor’s origin. The header I’m talking about is the “HTTP_CF_IPCOUNTRY”.

What you to do is to allow only visitors from certain country to access “wp-login.php” file by using “HTTP_CF_IPCOUNTRY” header  and “.htaccess” file.

The example below is only allow visitors from United States & Canada. Change the country code in the third line to make it applicable to your locations.

 <FilesMatch "wp-login.php">
  RewriteEngine on
  RewriteCond %{HTTP:CF-IPCOUNTRY} !^(US|CA)$
  RewriteRule ^ - [F,L]

Redirect Default CakePHP Pagination URL to SEO Friendly URL with .htaccess

In the previous post, I post a guide on how to create SEO friendly URL in CakePHP pagination.

However, if you already use default CakePHP pagination prior to that, you want to redirect the old pagination URL to the new SEO friendly URL.

I’m using .htaccess file to accomplish this.

Let’s take an example, by default we will have pagination URL like this


we would like to redirect to


To redirect, we have to edit .htaccess file located at /app/webroot/.htaccess. Next, add the following code.

RewriteEngine On
RewriteBase /
RewriteRule ^(.+)/page:([0-9]+)/$ /$1/page/$2/ [R=301,L]