Defeat wp-login.php Brute Force Attack Using Cloudflare & .htaccess

In dealing WordPress Login (wp-login.php) brute force attack, previously, I recommend changing username & password as mentioned in WordPress Brute Force Attack – Change Username/Login ID post.

It does help to prevent the hacker to gain access, but the attack caused another problem as it consumed a large amount of server resources. Plugins such as Brute Force Login Protection may assist you to block the IPs after a number of wrong attempts. However, some of the hackers have large numbers of IPs, from hundreds to thousands of IPs. I encounter this problem & really taxing my server resources similar to DDOS attack.

While looking for better alternative to solve this problem, I found out that if you are using Cloudflare, the request headers contain the country code of the visitor’s origin. The header I’m talking about is the “HTTP_CF_IPCOUNTRY”.

What you to do is to allow only visitors from certain country to access “wp-login.php” file by using “HTTP_CF_IPCOUNTRY” header  and “.htaccess” file.

The example below is only allow visitors from United States & Canada. Change the country code in the third line to make it applicable to your locations.

 <FilesMatch "wp-login.php">
  RewriteEngine on
  RewriteCond %{HTTP:CF-IPCOUNTRY} !^(US|CA)$
  RewriteRule ^ - [F,L]

Remove Update Notification for WordPress Plugins

Sometimes, you may have a reason not to update certain plugins. Maybe the plugin was heavily customized or the newer version asks you to pay to continue using it (in my case this is the reason).

Because of that, you may not want to received notification to update the plugins. You may accidentally update the plugins if the notification was turned off.

To remove update notification. Add the following code in main plugins php file.

add_filter('site_transient_update_plugins', 'remove_update_nag');
function remove_update_nag($value) {
 if ( isset( $value ) && is_object( $value ) )
 unset( $value->response[plugin_basename(__FILE__)] );
 return $value;