How to stop the brute-force attacks on your WordPress blog

First of all that article is mostly for WordPress users which host their blogs on a VPS, some of the advices I’ll give you will also improve your security on shared hosting, but most of this weight falls on your hosting provider.

1. The MOST important thing to do(or NOT do in this case) is to NOT use the “admin” username…no really don’t. Most of the automated brute-force attacks are explicitly targetting the “admin” username, because it was used as a default username for quite some time and still a lot of people are using it

2. Use strong passwords! I can’t stress this enough, use password generators. There are a lot of solutions providing password generators online(for example

3. Install WordFence and spare 10 minutes of your time to configure it, especially the Firewall Rules(WP Admin > WordFence > Options > Firewall rules). They can be a life saver in bruteforce attacks!

So much for the shared hosting…now lets see what you can do if you manage your own VPS

4. Install and configure mod_evasive
I’ll go through the steps for setting up mod_evasive for Debian(and probably Ubuntu)

  • Installation
  • Create log directory
  • Configure mod_evasive
  • Restart apache
root@yourhost# apt-get install libapache2-mod-evasive
root@yourhost# mkdir -p /var/log/apache2/evasive
root@yourhost# chown -R www-data:root /var/log/apache2/evasive
root@yourhost# vi /etc/apache2/mods-available/mod-evasive.load
#And add the following content.(Should be Google Safe)
LoadModule evasive20_module /usr/lib/apache2/modules/

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 5
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir "/var/log/apache2/evasive"
#Save and exit
root@yourhost# service apche2 restart

If apache restarted normally you now have a working mod_evasive, if not feel free to ask in the comments section and I’ll do my best to help.

5. Protect your wp-login.php file with .htaccess


  • SSH to your VPS and run the following command replacing the username with the one you want and the path with your real wordpress path htpasswd -c /your_wordpress_path/.wpadmin someusername
  • Edit your wordpress .htaccess and add the following:
    ErrorDocument 401 "Unauthorized Access"
    ErrorDocument 403 "Forbidden"
    <FilesMatch "wp-login.php">
    AuthName "Authorized Only"
    AuthType Basic
    AuthUserFile /your_wordpress_path/.wpadmin
    require valid-user

I’ve sucessfully protected several WPMU installations under intensive bruteforce attacks this way, if you feel like there is something to add to that list feel free to Contact me or write in the comments :)