If your like one of the millions of people using WordPress for their website you have probably dealt with a bruteforce login attack on your site or worse been hacked due to one.

One of the most frustrating things about these attacks is the typical way to address this issue is to either hide your login page via a plugin and custom URL or to add a captcha to the login page. If your like me you despise captchas and how much time is wasted on them.

There is actually a very simple solution to this issue that does not require changing your default login page or even needing a captcha.

Requirements: Static IP or VPN with Static IP

In this example the static IP will be 1.2.3.4. You can actually put multiple IP’s in for the site if you have multiple IP’s for say home office and VPN for when mobile or travelling.

To find your IP can use a site like the below to view your current IP.

Once you know your IP you will need to note that down and navigate to your control panel or where your WordPress installation is hosting wise. In this example it is going to be inside of cPanel account that houses the WordPress.

Navigate to the main document root for the WordPress install via FTP or the file manager. This will be where the index.php for the WordPress is located. We are then going to edit the .htaccess file. This is a hidden file so you may need to toggle on the show hidden files option in the cPanel File manager settings.

/home/username/public_html/.htaccess

Now once its opened we need to add some rules here to deny access to all IP’s from accessing the wp-login.php page and some other files. Replace the IP’s with your known Static IP’s. If you do not have that many you can just add a “#” to the front of that line to comment it out for reuse later.

#Redirect all non SSL URLs to use SSL aka HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE] 

#Deny access to the wp-login page to all except the whitelisted IP's below.
<Files wp-login.php>
        order deny,allow
        Deny from all
 
# whitelist home IP address
allow from 1.2.3.4
 
#whitelist office IP Address
allow from 1.2.3.5

#whitelist vpn IP Address
allow from 1.2.3.6

#commented out rule
#allow from 1.2.3.7

</Files>

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

<files wp-config.php>
order allow,deny
deny from all
</files>

You may have other rules below this and that’s fine. If you already have a redirect to SSL rewrite the top one may not be needed. So for our example the entire .htacces basic Wordpress file looks like the below. This will prevent anyone from even accessing the login page to attempt a login. This lowers the load on the server instead of waiting for x attempts to fail to ban the IP and deal with the whackamole game of bruteforcing bots and such that rotate out IP’s between attempts.

#Redirect all non SSL URLs to use SSL aka HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE] 

#Deny access to the wp-login page to all except the whitelisted IP's below.
<Files wp-login.php>
        order deny,allow
        Deny from all
 
# whitelist home IP address
allow from 1.2.3.4
 
#whitelist office IP Address
allow from 1.2.3.5

#whitelist vpn IP Address
allow from 1.2.3.6

#redirect the failed logins to get rickrolled
ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ
</Files>

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

<files wp-config.php>
order allow,deny
deny from all
</files>



# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Now that we have the main wp-login page secured we also need to ensure that the admin area which is typically https://yourdomain.tld/wp-admin to also not allow anyone to visit it that is not explicitly whitelisted. We are now going to create a new file called .htaccess in the wp-admin folder. With the same below content whitelisting the desired IP’s and redirecting non whitelisted IP’s to get rickrolled. You can change the URL to a custom website or page if you would like.

/home/username/public_html/wp-admin/.htaccess
Order Deny,Allow
Deny from all

# whitelist home IP address
allow from 1.2.3.4
 
#whitelist office IP Address
allow from 1.2.3.5

#whitelist vpn IP Address
allow from 1.2.3.6
ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ

Once this is done to test you will need to either disconnect from the VPN and test visiting your WordPress login page from an IP that is not whitelisted. If setup properly it should redirect you to YouTube video or whatever URL was specified for the 403 error.

If you only have a static IP and cannot change it the other method to test is to comment out the rule for the location your currently using so the rule is there but not active. If it works you can use the control panel your logged into to uncomment the rule and save the file and then test you can login still.

#whitelist office IP Address
#allow from 1.2.3.5

You may be thinking this is awesome I want to be able to login to my WordPress without weird login URLs or annoying captchas but I don’t have a static IP or VPN. Well your in luck we offer super affordable VPN plans via monthly or super discounted yearly plans in 8 countries and 16 locations. All of them are logless VPNS and work on both mobile and regular desktops laptops etc via multiple protocols. We also have premade files so you can whitelist all the VPN IP’s or just the VPN nodes you use to further prevent even other VPN users from being able to attempt login unless using the specific VPN node you prefer.

Below is a premade .htaccess file for WordPress for our VPN users main .htaccess

#Redirect all non SSL URLs to use SSL aka HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE] 

#Deny access to the wp-login page to all except the whitelisted IP's below.
<Files wp-login.php>
        order deny,allow
        Deny from all
 
# whitelist home IP address
#allow from 1.2.3.4
 
#whitelist office IP Address
#allow from 1.2.3.5

#whitelist vpn IP Address
#allow from 1.2.3.6


# softy1 NL Amsterdam
Allow from 93.158.203.109

#softy2 NL Amsterdam
Allow from 93.158.203.91

#softy3 US Miami
Allow from 144.202.38.159

#softy4 US Chicago
Allow from 8.12.16.99

#softy5 US New Jersey
Allow from 45.32.6.181

#softy6 US Seattle
Allow from 144.202.93.38

#softy7 US Los Angeles
Allow from 45.76.174.145

#softy8 AU Sydney
Allow from 149.28.162.174

#softy9 JP Tokyo
Allow from 202.182.105.46

#softy10 HK Singapore
Allow from 149.28.151.117

#softy11 FR Paris
Allow from 140.82.54.59

#softy12 DE Frankfurt
Allow from 104.238.167.21

#softy13 UK London
Allow from 45.63.101.64

#Softy14 NL Amsterdam
Allow from 93.158.203.100

#softy15 NL Amsterdam
Allow from 93.158.203.112

#softy16 CA Toronto
Allow from 155.138.147.206
</Files>

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

<files wp-config.php>
order allow,deny
deny from all
</files>



# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

The below is the .htaccess file to use in the wordpress admin folder. Please note this same method will work for any CMS to protect an admin folder like Prestashop, Opencart, Magento, WHMCS, and etc… so pretty amazing way to secure these areas with very little effort.

Order Deny,Allow
Deny from all
# whitelist home IP address
#allow from 1.2.3.4
 
#whitelist office IP Address
#allow from 1.2.3.5

#whitelist vpn IP Address
#allow from 1.2.3.6


# softy1 NL Amsterdam
Allow from 93.158.203.109

#softy2 NL Amsterdam
Allow from 93.158.203.91

#softy3 US Miami
Allow from 144.202.38.159

#softy4 US Chicago
Allow from 8.12.16.99

#softy5 US New Jersey
Allow from 45.32.6.181

#softy6 US Seattle
Allow from 144.202.93.38

#softy7 US Los Angeles
Allow from 45.76.174.145

#softy8 AU Sydney
Allow from 149.28.162.174

#softy9 JP Tokyo
Allow from 202.182.105.46

#softy10 HK Singapore
Allow from 149.28.151.117

#softy11 FR Paris
Allow from 140.82.54.59

#softy12 DE Frankfurt
Allow from 104.238.167.21

#softy13 UK London
Allow from 45.63.101.64

#Softy14 NL Amsterdam
Allow from 93.158.203.100

#softy15 NL Amsterdam
Allow from 93.158.203.112

#softy16 CA Toronto
Allow from 155.138.147.206
ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ

Please note if you accidentally block yourself or forget to whitelist a new location. Login to your control panel or through FTP/SFTP to where your WordPress files are and just comment out the deny all line in the .htaccess files. When you’re done with wordpress uncomment it so it’s active again.

ProxySecuritywhmcsWordpress