This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Protect wp-login from Brute Force attacks that lack referrer
By North Street, A Creative Studio
This simple bit of code should be in every htaccess file. Basically it makes sure that the wp-login referrer matches the site it lives on, to protect against brute force attacks.
Make sure you update the “example.com” portion, or this won’t work!
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
Further reading:
http://codex.wordpress.org/Brute_Force_Attacks#Deny_Access_to_No_Referrer_Requests
About north street
We engineer the thoughtful transformation of great organizations. Our proven process helps us understand what your competitors are doing right — and wrong. Want to learn more? Let’s chat.