You can lock down the WordPress admin login with some .htaccess rules to prevent unauthorized login attempts.

If your WordPress access is blocked due to WordPress brute force attacks this will help.

Limit WordPress admin login attempts

This guide will show how you to limit WordPress admin login attempts by IP address, or referrer.

Below we'll show you, how to get to your .htaccess file, and what edits to make, to limit WordPress admin logins.

  1. Login to your cPanel.
  2. Under the Files section, click on File Manager.
  3. Select the Document Root for your domain.
  4. Ensure that Show Hidden Files is selected.
  5. Then click Go.
  6. file-manager-hidden-files
     
  7. Right-click on the .htaccess file and select Edit.
  8. file-manager-htaccess-edit
     
  9. You might have a text editor encoding dialog box pop-up, you can simply click on Edit.
  10. There are a few ways to restrict access to your WordPress admin section using this .htaccess file.

    These rules should be placed at the very top of your .htaccess file to function properly.

    Restrict WordPress admin access via:

    Secondary WordPress admin .htaccess password (Recommended if your IP changes)

    A single IP address

    Multiple IP addresses

    Trusted referrers

    Single IP address access

    You can check your IP to get your computer's IP address.

    If you are using CloudFlare or a DNS level filtering service, this method won't work, you'll want to setup a secondary WordPress .htaccess password for protection instead.

    To allow access from a single IP address, replace 123\.123\.123\.123 with your own IP address:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteRule ^(.*)$ - [R=403,L]
    </IfModule>

    Multiple IP address access

    You can check your IP to get your computer's IP address.

    If you are using CloudFlare or a DNS level filtering service, this method won't work, you'll want to setup a secondary WordPress .htaccess password for protection instead.

    To allow access from multiple IP addresses, replace 123\.123\.123\.xxx with your own IP addresses:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteRule ^(.*)$ - [R=403,L]
    </IfModule>

    Dynamic IP address access, limit by referer

    If your IP address changes, you can protect your WordPress site by only allowing login requests coming directly from your domain name. Simply replace example\.com with your own domain name

    Most brute force attacks rely on sending direct POST requests right to your wp-login.php script. So requiring a POST request to have your domain as the referrer can help weed out bots.

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteRule ^(.*)$ - [F]
    </IfModule>

  11. Wait at least 15-20 minutes, and try to login to your WordPress site again. If you try to access the WordPress dashboard within the 15 minute window of a block, this could extend the block longer.

    It's important to wait for the previous block to expire and be patient before attempting to access your WordPress site again.

You should now be blocking unauthorized WordPress admin login attempts utilizing .htaccess rules.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Like this Article?

Comments

Post a comment
2013-04-17 8:41 am
Hi, my IP address 111.93.52.182 and I used this code in .htaccess of my wordpress blog Sharecommons.com:

[code]<FilesMatch wp-login.php>
Order Allow,Deny
Allow from 111.93.52.182
Deny from all
</FilesMatch>[/code]

Well, it is supposed to allow me and deny all other IP addresses. However, it has locked me out and is blocking me from accessing the wp-login.php page. What could I possibly be doing wrong here? Thanks for your help.
Staff
7,266 Points
2013-04-17 10:26 am
Hello andyks,

Thank you for your question. I tested this, and it works when you comment our the line:
Deny from all

For example:
[code]
Order Allow,Deny
Allow from 111.93.52.182
#Deny from all
[/code]

Also, as suggested in this guide, I added it to the top of the .htaccess file.

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
2013-06-26 7:22 am
It is the order of Allow, Deny that determines weather it works or not.

This does not work:
[code]
Order Allow,Deny
Allow from 111.93.52.182
Deny from all
[/code]

Because it first allows from 111.93.52.182 and then denies from all.

This works:
[code]
Order Deny, Allow
Allow from 111.93.52.182
Deny from all
[/code]
Because you first denies from all and then allows from specific.

Which of the 2 lines that comes first is not important. Only the Order line.
2013-06-26 7:32 am
I am working on a script that will use 2 htacces files. If the visit to a site exceeds a certain expected number per 10min, the htacces file will be changed on the fly for an hour. The changed file will limit access to where most expected visitors will com from. For instance your own country. This will also prevent brute force attacs from a large amount of computers, and keep open your site to mayby 95% of your users depending on what kind of site it is. It should be possible to customize the 'access denied' page on the fly also to inform, in case you have your own server.
2013-06-26 3:32 pm
When I use the following .htaccess file on the subdomain(test.mydomain.com), I get the error "310 (net::ERR_TOO_MANY_REDIRECTS)" and can't access the log-in page.

<files wp-login.php>
AuthName "Login"
AuthType Basic
AuthUserFile /home/xxxx/.htpasswd
require valid-user
</files>

Although I have tested on the local using XAMPP creating subdomain “test.localhost” and subdirectory on the inmotion server "mydomain.com/test/ " with same files and it works fine.

Why am I getting the error only on subdomain settings?




2013-06-26 3:37 pm
Sorry, please disregard my post. I am at wrong page.
2013-07-20 10:41 pm
Hi,

My members use wp-login.php to access their accounts. How do I accommodate them using the above solution?

Cheers
Staff
15,484 Points
2013-07-22 3:27 pm
Hello Camhawk,

Thanks for the question! If you have many members logging in and you would prefer not to limit by the IP address (IP address would be unique per user), then you should be using the Referrer method as listed above. Give your members a URL shortcut using the domain URL. The default reference to login for the WordPress admin is as follows: http://domain_name.com/wp-admin. This way you're not using the direct login to wp-login.php (it automatically redirects to the wp-login using the wp-admin, anyway) and you're using the URL as per the .htaccess rule.

I hope that helps to clarify the matter. If you require any further assistance, please let us know.

Regards,
Arnel C.
2013-07-25 5:44 am
Thanks, but I seem to be struggling with your explanation.

- When you say "Give your members a URL shortcut using the domain URL" do you mean create a URL like this (http://www.example.com/login) when linking to the login page and have it NOT redirect to the wp-login.php, i.e. so it stays on /login

I have done the above without using .htaccess, but when I add the .htaccess referrer rules it starts redirecting my /login page to wp-login.php and eventually locks me out again.

Any further help much appreciated.
Staff
15,484 Points
2013-07-25 3:53 pm
Hello Camhawk,

I was trying to say use the "http://example.com/wp-admin" path so that the referrer rule in .htaccess recognizes it as a legitimate access to the Administrator dashboard.

When you implement the .htaccess rule, you should give it at least 15-20 minutes before trying to access it again. As per step 9 above: "Unfortunately even if you simply try to access the WordPress admin dashboard, still within the 15 minute window of a block, this could extend the block an additional 15 minutes, so it's important to wait for the previous block to expire before attempting to access your WordPress site again."

After you've waited, make sure that access to the Administrator dashboard is occurring through the link using "http;//example.com/wp-admin" (but "example.com is replaced by your name). If the problem with the login continues, then you may need to use the multiple IP option.

Please let us know if the issue persists and we can investigate it further.

Regards,
Arnel C.
n/a Points
2014-05-20 3:47 pm
Insert at beginning of htaccess file.   RewriteRule ^login$ http://YOUR_SITE.com/wp-login.php [NC,L]

Just replace the login keyword with one of your choice and your website’s URL.

2013-08-29 6:50 pm
This has happened COUNTLESS TIMES and it gets me in, but then a few days later it is supposedly hacked again. This does not happen to ANY of my other sites, just one.
Staff
15,484 Points
2013-08-29 9:39 pm
Hello Mcsiler,

I'm sorry to hear you are having problems with the admin login. Unfortunately, this issue isn't something that just simply goes away and never comes back. If your website was specifically targeted, then the botnet may subside for a bit, and then come back later with more attempts to hack your login. The lockout doesn't mean your website is "hacked". It means that an attempt to attack your site was stopped and the lockout occurs because of failed attempts to login to your Wordpress admin. Please allow the time for the lockout to pass (15 minutes) and then try to log in again.

If you continue to have login problems, please either contact our live technical support staff, or provide us more information on the URL you're having the problem with so that we can investigate the issue in more depth.

Kindest regards,
Arnel C.
2013-08-30 6:29 pm
I'm STILL having issues - no website at all and cannot even access the dashboard on wordpress! longbeachlpa.com. Apparently someone is working on it, but I have never ever had these issues with any website until this year on Inmotion - getting very very frustrated.
Staff
15,484 Points
2013-08-30 7:37 pm
Hello Mcsiler,

I'm sorry for the frustrations that you've been having with your Wordpress site. One of our Tier2c techs (Shawn C.) has been looking at it and finally cracked the issue. The problem was with your caching plugin. It needed to be cleared as it was basically causing the connection issues for the database. Once that was done, the page came up beautifully.

If you ever need to disable plugins, there's a guide we provide that can help you do it real quick so that you can eliminate/identify them as the possible cause for your WordPress problems: Disabling Wordpress plugins. Otherwise, please let us know if we can help by posting another question!

Thanks for your patience! Regards,
Arnel C.
2013-08-30 6:13 pm
I followed the steps (using the referrer method), and now not only can I not log in, all of my pages (excpet the homepage) are showing 404 errors - even when I'm just browsing the site. http://jeffchoirs.org/
Staff
15,484 Points
2013-08-30 6:20 pm
Hello Kdemerly2,

Sorry to hear about the problem you were having. Thank you for providing a link so that I could find the account immediately! I looked at the .htaccess file that you edited and you missed one little backslash that's supposed to go before the period in '.org'. I went ahead and fixed it for you. Give it another 15-20 minutes, and then try to login again.

Apologies again for the issues - hope this fixes it for you!

Regards,
Arnel C.
2013-08-30 6:32 pm
I had that backslash in there originally, and it still prevented me from even accessing my pages outside of logging in. That's when I tried removing it, thinking maybe it was the cause. Isn't that just supposed to prevent login issues? Why can't I get to http://jeffchoirs.org/varsity-singers/ without logging in? Why do I get a 404 error when I'm not even logging in to that page? Thanks for your prompt response, btw!
Staff
15,484 Points
2013-08-30 7:06 pm
Hello Kdemerly2,

The "\" is required in order to recognize the period in between the domain name and it's extension. Iso the 404 for the the link you provided. The problem is that the page does NOT exist. So if you're typing it in directly, there's no such folder in your directory. If you're getting a 404 elsewhere, I need to see the URL for it. WordPress generates the URLs for pages that are in it - they will not be the same as the title of a page that you may have created directly in Wordpress. You can create custom permalinks, using the permalinks option in WordPress, but you can't simply create a url for a single page. I hope that helps to explain it. The URL that you provided indicates that there should be a subdomain/folder named "varsity-singers" and there isn't one. That's the reason you're getting the error message. Create one, add some website files in there, and you'll see it appear with no problem.

I hope that helps to clear up that issue! Let us know if you're still having any specific problems.

Regards,
Arnel C.
2013-08-30 7:16 pm
The page exists! It was there until I put in your code. If you go to that page again, you'll see that it works now - because I removed your code and put back what was in there a few hours ago before I tried this update. http://jeffchoirs.org/varsity-singers/ But now I'm locked out of the login again. *sigh*
Staff
15,484 Points
2013-08-30 7:27 pm
Hello Kdemerly2,

The way you put the link in won't be recognized correctly. Try this:

http://jeffchoirs.org/varsity-singers.html/

You'll see it everytime that way. When you leave off the ".html" server is looking for a subdomain or folder that does not exist. When I looked for that, I did not see, so that's why I thought there was no such location. The link works from WordPress most likely because it's linked TO the .html page. Anyways, if you're going to go directly to an html page in your directory, then you would need to provide the extension in the URL.

Regards,
Arnel C.
2013-08-30 7:32 pm
When I go to that page http://jeffchoirs.org/varsity-singers.html/
I get: "This is somewhat embarrassing, isn’t it? It seems we can’t find what you’re looking for. Perhaps searching, or one of the links below, can help." I don't know where the disconnect is, but my Wordpress page for Varsity Singers isn't jeffchoirs.org/varsity-singers.html/.
2013-08-30 7:37 pm
And after waiting, I can now log back in to my Wordpress site. So, while I was happy to lock it down using the steps listed above, it did not seem to work for me. I can certainly utilize Cloudflare if that's a viable option.
2013-08-30 7:46 pm
So should I try and limit the login again, using the steps above? I guess I can try.
Staff
15,484 Points
2013-08-30 7:50 pm
Hello again Kdemerly2!

The options above are widely considered to be viable options to helping to lockdown your WordPress login. If you are using the referrer method (which is what I saw in your .htaccess file), then you should make sure that you login using the url like this: http://jeffchoirs.org/wp-admin . The referrer method of blocking is used because the automated scripts in many of the attacks are using the direct path to the login page.

The script used in the attacks will not normally use a the domain name, but it can happen which may be why you're seeing your page often blocked. I would highly recommend the IP method if it continues to be an issue. This would prevent you from continually being blocked by simply typing in your site URL. I understand how frustrating this can be trying to get into the Wordpress page - hopefully, using the IP method will keep you safer.

Using Cloudflare is a viable option if you wish. It adds a little complexity to the setup, but they are free and they offer other services which may be helpful to you. We also have documentation for the setup here: Cloudflare setup.

If you continue to have any problems, please let us know if you require further assistance.

Regards,
Arnel C.

2013-08-30 7:53 pm
Thanks for your help. I appreciate it.
2013-09-07 12:11 pm
I was wondering how the ip address lock down affects me using my iphone wordpress app, or using my laptop to login from a library? Is there a way to find out my iphone ip address? does this change depending on who's wifi Im using? Are there any other security measures I could take ?
Staff
9,521 Points
2013-09-09 2:47 pm
Hello coffeehauscat , and thanks for your comment.

Using the IP address restricting method that is discussed in this article is best suited for when you have the same IP address consistently, or at least rotate through a few common ones.

Being that it sounds like you'd be accessing your WordPress admin dashboard from more than likely dynamic IP addresses, while you could keep figuring out your IP address by using our IP lookup tool and updating your .htaccess rules to let the new IP in. You will probably find it much easier to instead prevent WordPress login attempts with a .htaccess password.

That way you'd simply enter the username and password you set, and then no matter what your IP is it will bypass the .htaccess block, and give you the normal WordPress admin dashboard login.

I went ahead and set this up for you to speed up the process, and all you'd have to do now is just open up your /public_html/.htaccess file and you should see I left you a note at the top with what I set the username and password to. If you'd like to use different credentials, then you can simply follow the steps in that other article and create an additional user.

I hope that helps you out, and please let us know if you had any other questions at all!

- Jacob
2013-10-21 3:03 pm
Hi,
I just implemented the "limit by referer" method in my .htaccess file, but before I turn off Modsec, I want to be sure my implementation works. How can I test this?

Furthermore, I noticed that this solution only promises to address the current botnet, which uses direct POST requests. Is there any way we can be prepared for future modes of attack, or is this a watertight solution for any eventuality?
Staff
9,521 Points
2013-10-21 4:08 pm
Hello ThePurpleTide, and thanks for your comment.

Typically we wouldn't recommend turning off ModSec as it will protect your website from other attacks and not just the WordPress brute force ones. It's kind of a last resort if you really need to get back in to your WordPress admin dashboard and have been having issues with our ModSecurity rules continuing to trigger.

If you wanted to test the limit by referer method in your .htaccess file, you would need to create an HTML form with the method set to POST and the action set to your wp-login.php file of your website.

It would look something like this:

<form method="POST" action="http://addondomain.com/wp-login.php">
<input type="submit">
</form>


You would get a 403 forbidden error if the .htaccess rules were applied correctly. You could then hit refresh on the page and it should show your normal wp-login.php page, as you would only be restricting POST attempts to the page, and when you hit refresh that is simply a GET request.

We also actually recommend setting up a secondary WordPress .htaccess password for the best level of protection.

Please let us know if you had any further questions.

- Jacob
2014-01-26 10:51 am
I have implemented the "Multiple IP address access" method on all my domains yet I am still getting locked out of my admin. Does this method no longer work? Here is the exact text I have at the head of the .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?shadeofthebodhitree\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>
Staff
7,266 Points
2014-01-27 10:21 am
Hello jkwalz108,

The fix you are using is for when "the brute force attack that is taking place relies on sending direct POST requests right to your wp-login.php script," but if your site is accessed directly, then the wp-admin is requested it will still allow attempts through.

A better option for you would be to use a "Secondary WordPress admin .htaccess password (Recommended if your IP changes)", or the Multiple IP addresses" method.

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
2014-02-15 11:57 am
And so now I can't log in here with Facebook? I get an error "The state does not match. You may be a victim of CSRF.". What a pain...I have to create a new account with Google+. Seriously, what a pain!

I've noticed that my WordPress stores that live in a /wp subdirectory don't suffer from these attacks. Is that a possible solution? To move the entire installation to a sub directory?
Staff
7,372 Points
2014-02-17 10:02 am
The reason that you may not get this error when the installation is in another directory is because the bots may not be targeting the subdirectory at this time. It is possible that this can indeed happen to sites on those directories as well, so it is best to still set a secondary password within your .htaccess file.
2014-02-21 5:53 am
I have a problem..... plz tell me htaccess rule to set up a wodpress management server to a subdomain like admin.subdomain.com . And URL should be stored in database(RDS Mysql server)i am using aws server and cloudfront DNS ,CDN,WP super cache plugin to access wp-content by n wordpress servers...... Plz mail me asa fast as possible........
Staff
7,372 Points
2014-02-21 8:43 am
Hello suryandh,

To map your WordPress admin to a subdomain insead of being at /wp-admin, you would use the folloeing within your .htaccess file:

# Redirect sub folders to sub domains
RedirectMatch 301 ^/wp-admin/?(.*)$ https://admin.domain.com/$1


Of course, modify the domain to what you will be using within your site. You will also need that subdomain set up within your account there as well.
n/a Points
2014-02-28 3:10 pm

Your instructions, above, are flawed. They read: To allow access from a single IP address, replace 123\.123\.123\.123 with your own IP addressBut that's not correct. You can't simply plug in "your own IP address"---you also have to insert slashes.

Staff
9,521 Points
2014-02-28 5:04 pm
Hello Mary,

It should work in most cases either way you type in your IP address:

123\.123\.123\.123
123.123.123.123


Both methods of typing in an IP address should be valid for an .htaccess file.

I see from you account notes that you might have also had an extra space throwing the rules off. Thanks for leaving this comment. I'll see about updating the article to make it a little more clear how to enter in your IP address, but I'm also almost done working on a WordPress plugin that will allow our customers to easily implement these security recommendations on their own automatically without issues.

Thanks again, and please let us know if you had any other suggestions!

- Jacob
n/a Points
2014-03-01 12:24 pm

Unfortunately WooCommerce customers need to access wp-admin.php for some reason so an additional username and password won't work for me. In fact whenever these blocks happed I think my customers are locked out from completing purchases. I guess they'll just go elsewhere.

Staff
7,372 Points
2014-03-03 10:51 am
Instead of locking down with a secondard password, you could lock down your WordPress admin by referrer (under the heading "Dynamic IP address access, limit by referer") which would prevent users from directly sending POST requests and allowing your users to still access their accounts.
n/a Points
2014-03-13 9:06 am

Help I have been locked out of my blog for several days and cannot reach my dashboard to make the changes suggested here.  the site is 

http://oakridgecameraclub.org/president/

any help would be appreciated.  It appears I will need some help from the staff

Staff
7,266 Points
2014-03-13 9:47 am
Hello rob,

Sorry to hear about your troubles. As a test, I was able to access your admin login page using the Single IP method.

Make sure you are adding the code to your .htaccess file located in the root of your wordpress installation: public_html/president/

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul
n/a Points
2014-03-20 9:31 am

I'm using the "Dynamic IP address access, limit by referer" method yet I am still getting block out of admin. This is the exact text in my .htaccess file:

 

<IfModule mod_rewrite.c>

RewriteEngine on

RewriteCond %{REQUEST_METHOD} POST

RewriteCond %{HTTP_REFERER} !^http://(.*)?shadeofthebodhitree\.com [NC]

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteRule ^(.*)$ - [F]

</IfModule>

 

What am I doing wrong?

Staff
7,372 Points
2014-03-20 9:39 am
This disallows bots from sending direct POST requests to your WordPress admin, but if they are actively visiting your login page, they will still be able to launch brute force attacks. I recommend blocking based on IP, or using a secondary password here if you are still being locked out.
n/a Points
2014-05-02 1:32 am

I have a number of WP sites which are in folders in my public_html folder. Each site is also running its WP from a folder. i.e. xyzxyz.com/qrgf/wp-admin/wp-login.php

I'd like to use the Referrer method above. What's the best way?

Also, would it be preferable to put this in the .htaccess file that's *above* my public_html folder? Could I put the Referrer for *all* of my sites there? (So they'd all be in one place)

Staff
7,372 Points
2014-05-02 7:42 am
You could simply place a single block of code within your .htaccess file in your public_html directory that covers all sites. As long as you don't have any additional rules in deeper folders that could counteract it, everything can work directly within a single file. It would look something like this:


RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com\/somethingelse [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com\/anothersite [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com\/additionalsite [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]


Be sure that you place each site that you are running in here or else you will get access denied errors on them.
n/a Points
2014-05-04 8:17 pm

I've waited for 15 mins but still can't log in. I'll wait for half an hour and try again.

Staff
15,484 Points
2014-05-20 3:53 pm
Hello Matt,

Sorry to hear that you're having problems with the login. Since you did not give us any account information, we could not check into the matter for you. If you want us to investigate, please give us at least a domain name or account user name. If your site is being hit by the brute force attack, then you may not be able to access the admin until you implement one of the suggestions listed above (and then waiting 15 minutes).

Remember that posts here are public domain. If you would prefer the matter to be handled privately, then please contact our live support team as per the contact information at the bottom of the page.

Kindest regards,
Arnel C.
n/a Points
2014-05-22 10:39 am

I have attempted to edit a client's .htaccess file following instructions and the file is totally blank. There is no code to apply the Trusted Referrers fix to. Client's url is 

kissthesky.net

which is a addon domain to

stevesalmostfamous.com

Thanks in Advance

Staff
7,372 Points
2014-05-22 10:44 am
To apply this, you will need to copy the entire block of code mentioned into your .htaccess file and adjust it based on their specific information.
n/a Points
2014-05-22 10:58 am

Hi Tony,

You might end up with a blank .htaccess file in WordPress if you haven't yet gone to Settings/Permalinks and set and saved the permalink setting you want to use.

WordPress doesn't generate the .htaccess info until you do that. If for some reason WordPress can't write to the .htaccess file, you should get a notice warning you of that and also the code to copy and paste into your .htaccess file manually.

n/a Points
2014-05-22 11:08 am

Thanks Jeff! 

Guess I'll know in 15 minutes or so.

n/a Points
2014-05-22 11:27 am

Jeff,

I was able to edit the file as you suggested but now when I attempt to log in using

http://kissthesky.net/wp-admin

I get the 404 error message.

Staff
7,372 Points
2014-05-22 11:38 am
This is because the website is not created using WordPress, so it will not contain a wp-admin directory.
n/a Points
2014-05-22 11:55 am

That makes sense Jeff, I use WP as content management for this dynamic site so I tried

http://kissthesky.net/blog/wp-admin        it then redirected to

http://kissthesky.net/blog/wp-login.php?redirect_to=http%3A%2F%2Fkissthesky.net%2Fblog%2Fwp-admin%2F&reauth=1

and displayed the same message 'WordPress Login Temporarily Disabled'

Where to from here?

Staff
15,484 Points
2014-05-22 12:29 pm
Hello Tony,

I took a look at your login and it is appearing for me. It may have been blocked temporarily (typically 15 minutes) in order to stop brute force attacks. Make sure to review the article above for more information on how to secure your WordPress login.

By the way I was using the following URL: http://kissthesky.net/wp-admin

Make sure to clear your browser cache before trying to login again. Please let us know if you continue to have difficulty logging in.

Kindest regards,
Arnel C.
n/a Points
2014-05-22 1:01 pm

Back in business!! Thanks to you and Jeff.

Regards,

Tony

n/a Points
2014-06-12 6:23 am

Hello, thanks for this article.  I understand that wp-admin is actually a folder in WordPress, so if we add this code, won't it lock down the whole directory and not just prevent people from accessing the wp-admin login page?

Thanks in advance for your advice.

Staff
7,372 Points
2014-06-12 8:15 am
The wp-admin directory only contains content that would be accessed on the admin dashboard so it would not affect the main content of your site at all.
n/a Points
2014-06-12 11:38 am

Thank you for replying.  And, again, thanks for the article.  :)

n/a Points
2014-07-10 9:35 pm
Couldn't have been any simpler. Thanks

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

News / Announcements

WordPress wp-login.php brute force attack
Updated 2014-07-17 06:43 pm EST
Hits: 201084

Related Questions

Here are a few questions related to this article that our customers have asked:
I am getting a 404 error on the Wordpress Admin Page
How long will my WordPress Admin Login be disabled?
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!