A simple way of deflecting brute-force attacks is to require an additional password to access the WordPress login screen. Lots of security plugins will do this for you, but again, sometimes it’s better to DIY.
I put a .htaccess file in the wp-admin directory and that almost completely worked, but mystifyingly, and irritatingly, there would be regular failed login attempts. Not very often. About very 20 minutes or so. But I was irked (I tell you), as I couldn’t work out why they were happening.
My .htaccess file looked a bit like this:
<RequireAll>
AuthName "my site"
AuthType Basic
AuthUserFile <myauthfile>
Require valid-user
</RequireAll>A few searches made references to differences between apache 2.2 and 2.4, and I thought that perhaps it was a syntax thing. But that didn’t seem to be it.
I did two things in the end, so I’m not sure what fixed it.
- I modified the
.htaccessentry to specifically reference the filewp-login.php. - I moved the
.htaccessfile to the parent directory.
So the relevant code looks something like:
<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secret stuff"
AuthUserFile <my auth file>
Require valid-user
</FilesMatch>