In recent months, we learned that there is an ongoing, highly distributed effort to attack
Wordpress websites with poorly secured administrator passwords.
This attack is highly organised, using over 90,000 IP addresses in an attempt to guess the
administrator password for WordPress sites.
We are aware of these efforts and are deploying a series of counter-measures to protect our
customers against this effort.
We do, however, encourage our customers to take steps to ensure their WordPress sites are not
compromised due to weak or insecure passwords.
The following are several ways customers can further protect their WordPress sites:
WordPress BulletProof Security Plugin
The WordPress BulletProof Security Plugin is a free, multi-purpose security tool for WordPress
intended to protect your WordPress site against a variety of security attacks.
This tool is installed like any other WordPress plugin and provides a number of tools customers can use to improve the security of their site.
If you are interested, you can find more details about the plugin at http://wordpress.org/extend/plugins/bulletproof-security/
WordPress Better WP Security Plugin
Another alternative plugin for WordPress, “Better wordpress security” provides extra features, and security measures which are widely used, and provides it in a single plugin which is easy to manage, and provides many methods for protection.
If you are interested, you can find more details about the plugin at http://wordpress.org/extend/plugins/better-wp-security/
Deny Access to your wp-login.php Page based on Country Code
Another method, which can assist, is by utilizing a rewrite which would deny access to your websites back-end unless the user is identified as being in Australia or New Zealand.
For anyone who runs a blog which is centralized around being logged into by Australian and New
Zealand users, this method would be a good start for security, as the attacks are generally originating from foreign networks.To deny access to IP addresses other than those from Australia and New Zealand add the following block of code in the /home/username/.htaccess file:
SetEnvIf GEOIP_COUNTRY_CODE AU AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE NZ AllowCountry
Deny from all
Allow from env=AllowCountry
Note: replace “username” above with your cPanel username.
Password Protect Your wp-login.php Page
Another method, similar to above, is instead of blocking access based on a country, is assigning a password to your login pages.
There are two steps in accomplishing this. First you need to define a password in the .wpadmin file, and then you activate the security in the .htaccess file.
Step 1: Create the Password File
Create a file named .wpadmin and place it in your home directory, where visitors can’t access it.
(Please note there is a period preceding the wpadmin in that file name.) The following example is for cPanel. Plesk would require placing the file in/var/www/vhosts or /var/www/vhosts/domain.
(where “username” is the cPanel username for the account.)
Put the username and encrypted password inside the .wpadmin file, using the
(where “john” is a username of your choice, and the password shown is encrypted.)
Generate Password File & Uploading Via File Manager or FTP
One way to do this is to generate the file using the website linked below, and then upload it to your
site via FTP or File Manager. In the directions below, we will use File Manager, but you could use FTP
instead, for those of you familiar with FTP.
1. Visit: http://www.htaccesstools.com/htpasswd-generator/
2. Use the form to create the username and password.
3. Login to cPanel in another window or tab.
4. Click on File Manager.
5. Select Home Directory.
6. Check Show Hidden Files (dotfiles) if not already checked.
7. Click on the Go button.8. Look for a .wpadmin file.
o If one exists, right click on it and select Code Edit to open the editor. Click on
the Edit button to edit the file.
o If one does not exist, click on New File at the top of the page, and specify the
name as .wpadmin (with the dot at the front) and click on the Create New
9. Paste the code provided from the website in step 2.
10. Click on the Save Changes button when complete.
11. You can Close the file when finished.
Step 2: Update the .htaccess File
All domains under the home directory will share the common .wpadmin file. (The command listed in
Option B above creates the /home/username/.wpadmin file due to the -c.)
The last step is to place the following code in the /home/username/.htaccess file:
ErrorDocument 401 “Unauthorized Access”
ErrorDocument 403 “Forbidden”
AuthName “Authorised Users Only”
Note: in the above examples, you would of course replace “username” above with your