Protect wp-login from Brute Force attacks that lack referrer
By North Street, A Creative Studio
This simple bit of code should be in every htaccess file. Basically it makes sure that the wp-login referrer matches the site it lives on, to protect against brute force attacks.
Make sure you update the “example.com” portion, or this won’t work!
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
Further reading:
http://codex.wordpress.org/Brute_Force_Attacks#Deny_Access_to_No_Referrer_Requests
About north street
We engineer the thoughtful transformation of great organizations. Our proven process helps us understand what your competitors are doing right — and wrong. Want to learn more? Let’s chat.
