The wp-login.php file
The wp-login.php file is the file used by WordPress to allow you to login to the WordPress Admin area of your site. WordPress powers over 33% of the sites on the internet and there are almost 25 million WordPress sites based on data from BuiltWith. This means it's a popular target for hackers.
If your site's resource usage is spiking, load times are slowing down or you're getting "508 Resource Limit is Reached" errors, then there's a good chance that your site might be under a brute force password attack. In one of these attacks, a hacker (or group of hackers) are attempting to login to your WordPress admin area by testing a whole lot of passwords until they find the right one. Think of it like the digital equivalent of using a lock picking machine.
There are a number of ways to help protect your site against brute force password attempts including plugins to rename the wp-login file and block the IPs of people who are trying to login with incorrect details, but in this guide, we'll focus on one method - editing your site's .htaccess file
1. Log into cPanel.
2. Open the File Manager.
3. Click on the Settings icon in the top right corner
4. Tick the box to "Show Hidden Files (dotfiles)" and then click Save
5. Click on the .htaccess file once, and then click Edit in the toolbar
6. Click the Edit button on the window that appears
7. Add the lines below at the bottom of the file, replacing "username" with your cPanel account's username:
IMPORTANT: You must replace "username" with your cPanel account's username for this to work.
<FilesMatch wp-login.php> AuthType Basic AuthName "Secure Area" AuthUserFile /home/username/public_html/.htpasswd require valid-user </FilesMatch>
8. Click the "Save Changes" button in the top right hand corner.
9. Click the "+ File" button on the toolbar to create a new file.
10. Call the new file ".htpasswd" (without quotes) - note the dot at the start - and then click Create New File.
11. Click on the new .htpasswd file once, and then click Edit on the toolbar.
12. Use the htpasswd generator site to create a new username and password, and copy/paste that into your .htpasswd File.
Example entry, which is for the username and password "protectwp":
protectwp:$apr1$QDbeOmHR$veKjSCrkn.EMAHNt75SQv/
13. Click the "Save Changes" button in the top right hand corner.
Congratulations. You've now protected your site's wp-login.php file from attacks. You'll need to use that new username and password as the first step of access before getting access to the wp-login.php file.