CMS Brute Force Protection - htaccess
Content management systems (CMS) such as Wordpress and Joomla! have become regular targets of brute force attempts. The most common way these types of attacks are performed is by hitting the wp-admin.php and administrator/index.php with thousands of requests with generic usernames and passwords with the hope that one combination eventually will provide them access and allow them free reign to your content.
Regardless of the reason they want in, there are a few ways to protect your login pages. One of the most primitive yet effective ways is by restricting access to the admin pages with an .htaccess file that only allows requests through if those requests are on a white list. Below are the additions you'll want to use for Wordpress and Joomla specifically, but these can be tweaked to restrict access to any file or directory with some simple adjustment.
Wordpress or File Specific Restriction:
- Generate an .htaccess file within the directory for the file you wish to protect. Wordpress, by default, has an .htaccess within the domain root. You will want to edit the existing file if protecting wordpress
- Paste the following code in the .htaccess:
# Wordpress/File Specific Brute Force Protection
<Files wp-login.php>
order deny,allow
deny from all
# Add additional IP space below by adding IP or partial range
# Cartika VPN
allow from 67.22.128.101
# Add client IP(s) in place of y and z. Remove comment
#allow from y.y.y.y
#allow from z.z.z.z
</Files>
- Change wp-login.php to the name of the file you want to restrict access to by IP
- Save the file
That is all that is necessary for WP
Joomla! or Directory Specific Protection:
This is virtually the same, in fact slightly easier than WP/file specific.
- Within the directory you wish to protect, generate an .htaccess if one doesn't already exist
- Paste the following code in the .htaccess:
# Joomla/Directory Brute Force Protection
order deny,allow
deny from all
# Add additional IP space below by adding IP or partial range
# Cartika VPN
allow from 67.22.128.101
# Add client IP(s) in place of y and z. Remove comment
#allow from y.y.y.y
#allow from z.z.z.z
- Save the file
As you can see, there is no designation for a file. .htaccess applies to the directory in which it resides. Do not do this in your domain root unless you are developing the site and don't want anyone to be able to reach it except specific IPs.
If you run into any issues or have any questions, don't hesitate to contact support via our ticketing system.
Related Articles
How to force HTTPS using the .htaccess file
To force all web traffic to use HTTPS - insert the following lines of code in the .htaccess file in your website's root folder. Important:If you have existing code in your .htacess, add this above where there are already rules with a similar starting ...
Force SSL with htaccess on linux
if you already have a .htaccess just edit it using the same command above. Add the following contents to it: SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "domainname.com" Save and exit. Make sure that the permission ...
Force SSL with htaccess on linux
if you already have a .htaccess just edit it using the same command above. Add the following contents to it: SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "domainname.com" Save and exit. Make sure that the permission ...
.htaccess
.htaccess Example of URI Redirects in a WP Site: [root@ca-web1 aiglebleu.org]# cat .htaccess # Redirects <IfModule mod_rewrite.c> RewriteCond %{REQUEST_URI} (entag/)(.*) RewriteRule ^(.*)entag/(.*)$ http://www.aiglebleu.org/en/$2 [NC,L] ...
Force www.MyDomain.com or without www (MyDomain.com) in a URL
I would like to force my sites to show www.MyDomain.com or to show without www. How can I do this? This is easily done with our linux servers by using the following .htaccess directives. .htaccess is a regular text file that can be created in the ...