Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

.htaccess for entire /home to stop wp-login.php bruteforce ...feasible?

Discussion in 'Security' started by qwerty, Jul 31, 2014.

  1. qwerty

    qwerty Well-Known Member

    Jan 21, 2003
    Likes Received:
    Trophy Points:
    Like for many others, our cpanel servers are getting hammered day in day out with wp-login.php login attempts.

    Not on such a huge scale that they're causing trouble but I worry without any restrictions they're bound to brute force their way in to some of the customers' wordpress blogs.

    This is NOT about mod_security - I am aware there are rules out there, but from what I've read they're either easily circumvented or create more issues then they solve.

    What I had in mind was... putting a .htaccess in /home directly and specify directives in it such that whenever someone attempts to access wp-login.php anywhere under /home/ - they're subjected to a list of allowed IPs.

    I can email my customers and get their static IPs to add to the list so that they're able to access wp-login.php

    Is this feasible? What possible issues could I run into? Does Wordpress use wp-login.php for anything other than ADMIN login ... ie. do normal 'users' also use this script? (if so, then this would be a non-workable solution)
  2. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    May 20, 2003
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    You might find more help with questions like this on the wordpress support site. This link should be helpful, it mentions ideas like yours here:

    Disagree. You can never have too much security.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. quizknows

    quizknows Well-Known Member

    Oct 20, 2009
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    Yes, this would work (a .htaccess in /home) but it's a lot of work to manage. And yes, normal users, not just admins, use wp-login.php.

    I've used modsecurity successfully to defend WP brutes on over 10,000 servers. simply put, it works.

    Most of the new brute forces are using the xmlrpc.php call anyway, not wp-login. I'm also defending against the xmlrpc.php brutes with modsecurity very successfully.

    New Brute Force Attacks Exploiting XMLRPC in WordPress | Sucuri Blog
    #3 quizknows, Aug 1, 2014
    Last edited: Aug 1, 2014

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice