WordPress security prevent bruteforce

How to prevent WordPress brute force?


Login Lockdown by IP Address banning really not works for brute force attacks, because hackers use lots of ip address.


Don’t expose wp-login.php

Protect wp-admin directory with .htacess password.


Always check the error log in WordPress directory.


Block brute force attack by XML -RPC.php


try to rename xml-rpc.php but we can get errors in access logs.  but we can protect it by .htaccess

<FilesMatch “xmlrpc.php”>
Order Deny,Allow
deny from all


Block XML RPC & anonymous referes

Block No referer request by .htacess apache

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*chagewithyour.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]


You can block post requests to avoid injecting malicious script.

evasis 20 apache module blocks XML RPC.php


ALLOw login access from only your IP

Allow login from only from your workstation if your isp provides a static ip. if dynamic IP you can add isp hostname or you can check hostname by ip address online with this word on google host to ip. or subnet mask of ip.  to know your id just do search as what is my ip.


add this .htaccess file

<FilesMatch “wp-login.php”>
Order Deny,Allow
deny from all
allow from

subnet ip adress are start with same address but last few digits different

Allow from dynmic ip

<FilesMatch “wp-login.php”>
Order Deny,Allow
deny from all
allow from .isp.example.com


Limited Access ti Wp-admin folder


add the same code in wp-admin’s .htaccess folder.


.htaccess password protecting wp-login.php

<Files ~ “^\.ht”> Order allow,deny Deny from all </Files>

<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName “Private access
AuthType Basic
require user green


Authorization file can be located anywhere in the directory. but you have to give the exact path.

create a New file called .htpasswrd and paste the htacess password there.

you have to generate htacess password using one of many available tools like Cpanel, ssh.

USE Cloudflare and Select security level medium or high based on your requirement.


WordPress Security Plugins


All in one security plugin


adds lot of rules to your .htacess file but it slows down your wp-admin access. maybe it slows your website performance.

the best feature is Disabling brute force attack by custom URL login page and custom keyword with string to store a cookie on your pc with a secret word. all other trying to access they will redirect where you want.

Add step 2 verification WordPress login: you can use google Authenticator plugin. for that you have t o install google authenticator app on mobile.

You can login with wordpress.com username & password if you installed jetpack plugin.


Securing Apache server

Evasis module

Mod security

Firewall IP tables or UFW for Debian 8, SE Linux


Note: the conflict between security rules may cause server slowdown.


HaCkEd By RxR HaCkEr


HaCkeD By SA3D HaCk3D