Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

.htaccess for entire /home to stop wp-login.php bruteforce ...feasible?

Discussion in 'Security' started by qwerty, Jul 31, 2014.

  1. qwerty

    qwerty Well-Known Member

    Jan 21, 2003
    Likes Received:
    Trophy Points:
    Like for many others, our cpanel servers are getting hammered day in day out with wp-login.php login attempts.

    Not on such a huge scale that they're causing trouble but I worry without any restrictions they're bound to brute force their way in to some of the customers' wordpress blogs.

    This is NOT about mod_security - I am aware there are rules out there, but from what I've read they're either easily circumvented or create more issues then they solve.

    What I had in mind was... putting a .htaccess in /home directly and specify directives in it such that whenever someone attempts to access wp-login.php anywhere under /home/ - they're subjected to a list of allowed IPs.

    I can email my customers and get their static IPs to add to the list so that they're able to access wp-login.php

    Is this feasible? What possible issues could I run into? Does Wordpress use wp-login.php for anything other than ADMIN login ... ie. do normal 'users' also use this script? (if so, then this would be a non-workable solution)
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    May 20, 2003
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    You might find more help with questions like this on the wordpress support site. This link should be helpful, it mentions ideas like yours here:

    Disagree. You can never have too much security.
  3. quizknows

    quizknows Well-Known Member

    Oct 20, 2009
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    Yes, this would work (a .htaccess in /home) but it's a lot of work to manage. And yes, normal users, not just admins, use wp-login.php.

    I've used modsecurity successfully to defend WP brutes on over 10,000 servers. simply put, it works.

    Most of the new brute forces are using the xmlrpc.php call anyway, not wp-login. I'm also defending against the xmlrpc.php brutes with modsecurity very successfully.

    New Brute Force Attacks Exploiting XMLRPC in WordPress | Sucuri Blog
    #3 quizknows, Aug 1, 2014
    Last edited: Aug 1, 2014

Share This Page