Stop WordPress Crash From Brute Force Attack On WP-LOGIN.php

Just few days ago, my VPS at Hostgator has horrible crash. No matter how many time I restart the container, the memory usage is always reaching 101% and the server die.

After 2 hours struggling with the tech support, they finally told me that my server is under brute force attack. The hackers or bots are trying to hit on one of the WordPress website's wp-login.php file.

So WordPress was trying to do query to check the login and password. This process took over 100% CPU usage and try to hit on MySQL too many times. So the server went to cooling down mode.

There is no easy way to block those IPs. So the temporary solution is to stop the bot from hitting the wp-login.php file and summiting the login and password by password protecting the wp-loginl.php page. So it will prompt to enter extra login and password before login to WordPress.

This process add an extra file look up at Apache level.

Here is how it works.

  1. Setup a hidden .wpadmin file above your website root. It's usually under /home/[username]/
  2. Run SSH tool like putty.exe login to your web server as root.
  3. execute the commentline: htpasswd -c .wpadmin [login name]
  4. It will prompt you to enter password
  5. Once you set the file you will need to add few lines of code to .htaccess file for each one of your WordPress installation

ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/[username]/.wpadmin
require valid-user
</FilesMatch>