A simple way of deflecting brute-force attacks is to require an additional password to access the WordPress login screen. Lots of security plugins will do this for you, but again, sometimes it’s better to DIY.
I put a
.htaccess file in the
wp-admin directory and that almost completely worked, but mystifyingly, and irritatingly, there would be regular failed login attempts. Not very often. About very 20 minutes or so. But I was irked (I tell you), as I couldn’t work out why they were happening.
.htaccess file looked a bit like this:
<RequireAll> AuthName "my site" AuthType Basic AuthUserFile <myauthfile> Require valid-user </RequireAll>
A few searches made references to differences between apache 2.2 and 2.4, and I thought that perhaps it was a syntax thing. But that didn’t seem to be it.
I did two things in the end, so I’m not sure what fixed it.
- I modified the
.htaccessentry to specifically reference the file
- I moved the
.htaccessfile to the parent directory.
So the relevant code looks something like:
<FilesMatch "wp-login.php"> AuthType Basic AuthName "Secret stuff" AuthUserFile <my auth file> Require valid-user </FilesMatch>