InMotion Hosting Support Center


Because WordPress is such a popular CMS used on the web today, many attackers will try to compromise a WordPress website. Knowing how to review WordPress login attempts in your access logs can help you understand and improve your WordPress security.

This past April there was a large WordPress brute force attack where hackers were trying to hack into many WordPress installs. In this guide we'll go over how you can be sure that your WordPress site isn't still getting attacked.

Look at latest visitors in cPanel

To take a quick look to see who has been trying to access your WordPress administration panel, you can simply look in cPanel's Latest Visitors tool following these steps:

  1. Login to cPanel
  2. click on latest visitors

    Under the Logs section, click on Latest Visitors

  3. click view beside domain

    Beside your WordPress domain, click on View

  4. click settings cog select fields to use

    Type in wp-login.php into the search box with the magnifying glass

    Then click the Settings cog on the right, and place a check beside the IP, URL,Time,Status, and Method fields.

  5. wp-login attempts in cpanel latest visitors

    Here you can see that the IP address first had a GET request for the wp-login.php script, followed by 4 POST attempts, all getting a 200 response.

    On the 5th POST attempt the login was blocked and given a 503 response, and this is an indication of a user attemping to login to your WordPress admin, continually failing, and then being blocked by our Mod Security rules on the server.

    You might also see that you have a ton of different IP addresses trying to hit your wp-login.php script here as well, and at a much higher volume. If you're seeing this, then that means your site could still be under a WordPress brute force attack.

Setup a cronjob to email WordPress login attempts

A lot of times you might not be reviewing your WordPress website on a daily basis. In these cases it can be helpful to setup a cronjob to send you a daily report of any attempted WordPress logins following these steps:

  1. Login to cPanel
  2. click on cron jobs in cpanel

    Under the Advanced section, click on Cron jobs

  3. fill out cronjob email click update email

    Under the Cron Email section, fill out your email address where you'd like to receive the daily WordPress login attempt reports, and click Update Email

  4. add new once a day cronjob for wordpress login report

    Now under the Add New Cron Job section, change the Common Settings drop-down to be Once a day (0 0 * * *)

    This will default to sending you an email at midnight local server time, but you can adjust the Hour field if you'd like to have it email you a different time of day.

    Now for the Command field, you'd want to enter in the following command, making sure to replace ~/access-logs/ with your own WordPress website's log:

    egrep "POST .*wp-login.php" ~/access-logs/ | awk '{print $1,$4,$5,$6,$7,substr($0, index($0,$12))}' | awk '{print $1}' | sort -n | uniq -c | sort -n | sed 's/[ ]*//'

    Then click on Add New Cron Job

  5. The email report will give you a list of IP addresses that were accessing your wp-login.php script, and how many times they did so, and look like this:


    In this case if we received an email report like above, we can clearly see that we possibly have a brute force attack happening on our WordPress sites, as we have multiple IPs hitting the wp-login.php script multiple times.

Blocking unwanted users from WordPress

If you notice that you have IP addresses trying to access your WordPress admin that shouldn't be, you can go ahead and block unwanted users from your site using .htaccess.

In the example email report above we saw multiple IPs had multiple login attempts, we can block these IPs from even being able to send out website a request by using these .htaccess rules at the top of your .htaccess file:

deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from

Now if any of these IPs trys to access your website again, they will be immediately given a 403 access denied error and won't be able to attempt to login to your WordPress site any longer.

Support Center Login

Social Media Login

Social Login Joomla

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question
n/a Points
2014-04-01 2:43 pm

I locked myself out of mysite trying to access wordpress. Do I have to wait for it to reset or is it someting I can change inside of inmotion.

9,968 Points
2014-04-01 2:57 pm
Hello Rafaael,

If you had too many incorrect WordPress login attempts then you would have triggered our <a href="" target="_blank">WordPress brute force attack</a> security rules. If this is the case, you could wait a full 15 minutes before attempting to login again, and then it should let you back in as normal.

Please note that during that time, if you have other users also trying to login to WordPress this could extend the 15 minute temporary block. In which case you'd want to use one of the methods described in that guide for limiting access to the WordPress admin section such as <a href="" target="_blank">setting up a secondary WordPress password</a>.

If you're still having issues logging in after waiting a full 15 minutes before trying again, please let us know.

- Jacob
n/a Points
2015-10-02 8:51 am

When I send into my wordpress website I can't see the dashboard. This is over 6 days and now and when I insist I get a 404 error page from Hostgator; how do I rectify it?

32,675 Points
2015-10-02 9:34 am
Hello Emily,

Sorry to hear that you're having problems with the login. If you are hosting with HostGator, then you will need to contact their support if you continue to have repeated login issues. If you are using our hosting service, please provide a URL for your site and we can investigate further.

If you have any further questions or comments, please let us know.

Kindest regards,
Arnel C.
n/a Points
2014-04-05 10:31 pm

I think there's something wrong with the rule to block. I just installed WP. I keep get blocked out on the first login attempt every time.



37,753 Points
2014-04-06 10:51 pm
Hello Jim,

The block rule should work as described. You may want to have us check your individual account to see that everything is implemented properly. You may want to reply with your domain name here. We can keep it from being public if you prefer.

Kindest Regards,
Scott M
n/a Points
2014-04-06 11:33 pm

Jim is referring to our VPS hosting account.

I do prefer the domains be kept private, as it's development site not for public consumption.



9,968 Points
2014-04-07 3:08 pm
Hello Jim and Steven,

I'm not seeing any issues when I try to login to the WordPress site that you've mentioned privately.

When you say that you are getting blocked out the first login attempt every time, are you getting redirected to an all white error page that has a link to our article about the <a href="" target="_blank">WordPress brute force attacks</a>, or something else?

I do not see any mention of the Mod Security rule we use to block WordPress login attempts in your Apache error logs. So it looks like you might be having a completely separate issue.

- Jacob

n/a Points
2014-04-07 9:30 pm

Yes. The logs only show 7 requests, first landing on wp-login.php and 4 for its respective css files and one for the log.  The seventh entry is the POST to wp-login.php.  Every first attempt results in the white page saying login has been delayed.  We are not being brute forced attacked, yet we are locked out because somewhere a rule thinks so. - - [06/Apr/2014:17:00:58 -0700] "GET /wp-login.php HTTP/1.1" 200 2960 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0" - - [06/Apr/2014:17:00:59 -0700] "GET /wp-includes/css/dashicons.min.css?ver=3.8.1 HTTP/1.1" 304 - "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0" - - [06/Apr/2014:17:00:59 -0700] "GET /wp-admin/css/wp-admin.min.css?ver=3.8.1 HTTP/1.1" 304 - "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0" - - [06/Apr/2014:17:00:59 -0700] "GET /wp-includes/css/buttons.min.css?ver=3.8.1 HTTP/1.1" 304 - "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0" - - [06/Apr/2014:17:00:59 -0700] "GET /wp-admin/css/colors.min.css?ver=3.8.1 HTTP/1.1" 304 - "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0" - - [06/Apr/2014:17:00:59 -0700] "GET /wp-admin/images/wordpress-logo.svg?ver=20131107 HTTP/1.1" 304 - "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0" - - [06/Apr/2014:17:01:48 -0700] "POST /wp-login.php HTTP/1.1" 503 813 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"




11,186 Points
2014-04-08 7:45 am
As you can see from these logs, there are several POST requests to your wp-login within just a couple seconds which if they are failed logins, will certainly block access to your WordPress admin. I recommend fully <a href="">protecting it with your .htaccess file</a>.
n/a Points
2014-04-09 3:48 pm

Actually, as you can see in the logs there is ONE POST request. One intial GET request for wp-login.php The remaining are GET requests. In other words, GET requests from the referring page wp-login.php, as I already pointed out.

Why is this a new comment btw... It was supposed to a reply to JacobIMH in the thread we started above.

9,968 Points
2014-04-09 4:36 pm
Hello Jim,

I just tested again and this time I also got our ModSecurity block on your WordPress site.

I went ahead and <a href="" target="_blank">disabled specfic ModSecurity rules</a> dealing with our WordPress brute force protection, so that your site is still protected from other types of attacks.

Being that our protection is disabled for your WordPress site, you'll want to be sure that you follow the steps from our <a href="" target="_blank">WordPress brute force</a> guide to help protect your WordPress installation from attackers.

Please let us know if you're still having any issues at all.

- Jacob
n/a Points
2014-04-26 4:41 pm

How can I stop this web site from being blocked my web site is time sensitive

37,753 Points
2014-04-28 12:46 am
Hello Peter,

If you are being blocked from accessing your website admin area, you will want to perform the steps included in our WordPress brute force article.

If your site is being suspended by our Systems team, you will want to contact our Live Support team to investigate the cause.

Kindest Regards,
Scott M
n/a Points
2014-06-18 6:42 pm

Wordfence is a pretty good plugin for defeating Brute Force attacks...

9,968 Points
2014-06-18 7:05 pm
Hello Peter,

Yes the <a href="" target="_blank">WordFence plugin</a> in one of many WordPress security plugins that can help with WordPress brute force attacks.

Thanks for your comment!

- Jacob
n/a Points
2014-07-18 3:47 am


I am facing a problem to login in my Wordpress admin panel ... When I open my Wordpress admin panel page it show me nothing, just a message

LockeD By MED

pass plz:

Please help me to get rid out of this ..

Thanks in advance



9,968 Points
2014-07-21 3:47 pm
Hello Lisa,

Doing a Google search for <strong>LockeD By MED</strong> and WordPress, it seems like this could be an indication of your WordPress website being hacked.

I was unable to find any account information for you in our system based off the email address you submitted this comment under. But I might recommend you take a look at my guide on how to <a href="" target="_blank">reinstall WordPress after a hack</a> to see about possibly getting this hack cleaned up from your site and allow yourself back into the WordPress admin section.

You might wish to also contact your web host directly and let them know about these issues so that they can take a look on the server and in your WordPress database for any signs of malicious activity or a possible hack.

- Jacob
n/a Points
2014-09-22 1:57 pm

I am receiving database error messages when will this issue be resolved?

32,675 Points
2014-09-22 2:52 pm
Hello Felipe,

Sorry for the database errors that you're seeing. Can you please give us some details, as we're not seeing anything on your website at this point. If you are still having the problem and require technical assistance, please provide more detail on the exact error message, and also how to duplicate the problem.

Arnel C.
n/a Points
2015-06-25 6:38 pm

I have just paid for a month subscription and cannot sign in.  It says that I'm blocked.  What do I do? 

23,492 Points
2015-06-25 7:14 pm
Hello Brande,

This is just a public forum. Please, contact our Live Support team. They are available 24/7, 365 days a year.

Thank you,
n/a Points
2015-07-13 2:55 pm

Is it possible to whitelist an ip or two so that they can get through when a block happens? The primary administrator shouldn't get locked out during this period of time.

37,753 Points
2015-07-13 3:31 pm
Hello Dan,
The block happens at the mod_security level, so that is an all or nothing toggle. You can contact Live Support to have that rule disabled if you like, but you are basically whitelisting everyone.

Kindest Regards,
Scott M
2015-07-22 11:03 pm
The block happens at the mod_security level, so that is an all or nothing toggle. You can contact Live Support to have that rule disabled if you like, but you are basically whitelisting everyone.

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

28 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!