Protect WordPress login from brute force

Having WordPress site means some sleepless nights. But no worries, we will add a HTTP based authentication to protect WordPress login from brute force attacks.


If you have WordPress site, you may have noticed that there will be login attempts to it from different locations. The hard part is most of these attempts will come from different IPs.

Blocking an IP is not a good option, as it may change in the next attempt. Also that would somehow block legit users if the IP is a public dynamic one.

There are also other ways and plugins are available for it like block login attempts and change login URL etc. Adding one more plugin to your system is like adding one more threat level to it. So to avoid that, we will secure it on the server itself.


For creating password we will use Apache with htpasswd utility. htpasswd is part of Apache in Arch/Manjaro base packages and in Ubuntu you can install apache2-utils.

sudo apt install apache2-utils

Create password

Create a password file in /opt/ dir(you can save it anywhere, but don’t save it in a public accessible location). Change username to actual username you will need to use.

htpasswd -c /opt/.htpasswd username

Update WordPress .htaccess

Now we need to update our WordPress .htaccess file.

vim .htaccess

Add the following in it:

<FilesMatch "wp-login.php">
    AuthName "BruteForce"
    AuthType Basic
    AuthUserFile /opt/.htpasswd
    require valid-user

What it do is, if the file accessed is matched to wp-login.php it will ask for authentication to proceed.


After implementing this, you will see a popup asking for username and password. This way you will not get any email for a login attempt as you blocked access to the login screen.