Protect wp-login from Brute Force attacks that lack referrer

By North Street, A Creative Studio

This simple bit of code should be in every htaccess file. Basically it makes sure that the wp-login referrer matches the site it lives on, to protect against brute force attacks.

Make sure you update the “example.com” portion, or this won’t work!

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Further reading:

http://codex.wordpress.org/Brute_Force_Attacks#Deny_Access_to_No_Referrer_Requests

About north street

We engineer the thoughtful transformation of great organizations. Our proven process helps us understand what your competitors are doing right — and wrong. Want to learn more? Let’s chat.

More Notes

Photo of Tom Conlon

CEO Tom Conlon in Conversation with Chris White

Designing for Interaction: How Animated Prototypes Revolutionize Website Development

man with arms folded in front of blue city background

Team Spotlight: Cristian Sánchez, Lead Developer