Protect wp-login from Brute Force attacks that lack referrer

By North Street, A Creative Studio

This simple bit of code should be in every htaccess file. Basically it makes sure that the wp-login referrer matches the site it lives on, to protect against brute force attacks.

Make sure you update the “example.com” portion, or this won’t work!

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Further reading:

http://codex.wordpress.org/Brute_Force_Attacks#Deny_Access_to_No_Referrer_Requests

About north street

We engineer the thoughtful transformation of great organizations. Our proven process helps us understand what your competitors are doing right — and wrong. Want to learn more? Let’s chat.

More Notes

London Biedron Header

Team Spotlight: London Biedron, Client Development Specialist

Rebrand

How to Roll Out a Rebrand

12 Mood Boards to Inspire Your Rebrand