Foiling WordPress Login Attacks

The other day I read an article concerning attacks on WordPress wp-login.php. The solution was fairly simple, rename wp-login.php and all references to the the file within the WordPress software to an uncommon name. However this is cumbersome to do and maintain, and in addition you have to do this for some themes and plugins that make reference to wp-login.php.

I came up with an alternative and simpler solution. While not perfect (particularly if you have several blog authors), a simple work around to the problem is use a double-login by forcing HTTP authentication in the web browser for access to wp-login.php.

If you are using Apache, then within your blog’s <VirtualHost> block add:

<Files wp-login.php>
  AuthName "Blog Login Page"
  AuthUserFile "/path/to/blog/root/.htpasswd"
  AuthType Basic
  Require valid-user

Then create a .htpasswd file, preferable with a different user name and password from the blog login. Voilà! Done!