On a daily basis we see attempts to access WordPress admin sections with brute force attacks. There are plugins out there to help with this but a plugin still cannot stop the actual; traffic terminating on your site, so if you are the victim of a brute force attack then there is a pretty high chance that your site will use up its resource.
We protect you at server level and with mod_security and our firewall we keep people out, furthermore once our rules are triggered the traffic no longer gets to your site and you can carry on as normal.
There is however further steps you can take, by adding a password to your admin directory with cPanel, this will stop anyone getting to the admin section in the first place and consistent incorrect credentials will block them from any site on the server.
Please note if you use a members website, then this option is not for you as anyone wanting to login would be subjected to the extra level of security. But this option is a no brainer if you are the only person that logs in to your site, or if a few of you login you can give them separate passwords or share the same but could be highly admin intensive if you have 100’s of member/user and want to give them separate passwords.
So to be clear this would insist that you give the correct username and password before you can even get to your WordPress admin screen to login.
Protect the wp-admin section
Firstly you need to protect your admin section of your website, and this can be done by following this section on how to protect a directory https://www.birchhosting.com/protect-directory-in-cpanel
You need to protect the wp-admin section, this can be found in the public_html/wp-admin
Once this is done go back to cPanel.
Edit your wp-admin .htaccess file
1.Under the Files section, click on File Manager.
2.Select the Document Root for your domain.
3.Check Show Hidden Files (dotfiles), then click Go. (this is done with the settings button in the top right)
Now you’re ready to start editing
4.From the left-hand directory listing, expand public_html.
5.Click on wp-admin, then right-click on your .htaccess file. If there isn’t one there create a new file called .htaccess
6.Then click on Edit
7.For the encoding pop-up, click on Edit again to bypass that.
Add the following code to your /wp-admin/.htaccess file
ErrorDocument 401 "Denied" ErrorDocument 403 "Denied" # Allow plugin access to admin-ajax.php around password protection <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> AuthType Basic AuthName "Secure Area" AuthUserFile "/home/cpanelusername/.htpasswds/public_html/wp-admin/passwd" require valid-user
Dont forget to change the highlighted cpanelusername to your cPanel username.
8. Now make sure to save the /wp-admin/.htaccess file with the added code in it, as the next step you’ll just be editing the /public_html/.htaccess file.
Edit the public_html .htaccess file
9. From the left-hand directory listing, click on public_html. Right-click on your .htaccess file in the right pane, then click on Edit.
10. Now make sure this file looks like this
ErrorDocument 401 "Denied" ErrorDocument 403 "Denied" <FilesMatch "wp-login.php"> AuthType Basic AuthName "Secure Area" AuthUserFile "/home/cpanelusername/.htpasswds/public_html/wp-admin/passwd" require valid-user </FilesMatch>
Don’t forget to change the highlighted cpanelusername to your cPanel username.
11. Save the file
All done, now when you try to access the /wp-admin/ or wp-login.php you will be prompted by the server security to enter the username and password, once in you can use your admin section as normal.