Here’s another short post about protecting wp-login.php files on your server from Brute Force Attacks, which can drastically increase your server load. Mine was constantly up to 90% making my server completely inaccessible.
.htaccess or not .htaccess
Adding the following code to your .htaccess files is a solution, but if you have tons of sites like me, you don’t want to manually have to upload .htaccess and .htpasswd files. Instead, you want to handle this at once, globally and server-wide. Here’s how I did it:
First of all, you need to find out if your httpd.conf file is an autogenerated file, or if you can manually edit it (without it being regenerated after an update.)
Usually, modifications go into the pre_main_global.conf include file. If this is also the case for you, make sure this is included in your active httpd.conf file.
Edit pre_main_global.conf and add the following code:
<Files ~ "^\.ht"> Require all denied </Files> <Files wp-login.php> AuthUserFile /var/htpass/.htpasswd AuthName "Private access" AuthType Basic require user yourloginname </Files>
Rename “yourloginname” to whatever login name you like.
Create the directory to store your .htpasswd file as follows:
You can generate a .htpasswd file here: http://www.htaccesstools.com/htpasswd-generator/, make sure to use the same login name as chosen before. Any password you want will do, also an empty password if that’s what you want.
Finally, save your .htpasswd file in the previously created directory, in this example we suggested /var/htpass/.
Assuming the pre_main_global.conf gets included as it should, the only thing left is to restart Apache. Use the following command to do so:
service httpd restart
Alternatively, you can restart Apache from DirectAdmin or WHM. Voila, you are now asked for a User Name and Password each time you access your wp-login.php file to login into WordPress.
Voila, you are now asked for a User Name and Password each time you access your wp-login.php file to login into WordPress.