How To Protect Your WordPress Login Url From Brute Force Attacks Without A Plugin

WordPress admin site login url is /wp-login.php by default. It is known by all bots, hackers and other spam software which can take a brute force attacks to your website. If you find there are so many records ( ie : – – [29/Nov/2020:00:20:53 -0700] “POST /wp-login.php HTTP/1.1” 200 ) in your website access log, it means your website is under attack by bots. This can cost a lot of your website bandwidth and slow down your web server.

There are two ways to fix such issue. One is to install a third party plugin ( for example : WPS Hide Login ) to hide the default WordPress admin login page url. But if you use this method, you have to remember another WordPress login page url, and the bots request will arrive your web server to give your web server so much spam requests pressure to slow down it’s performance.

We have another method to avoid such attacks without install plugin. In this method, the bots request will never arrive your web server at all, so it can improve your website speed and performance largely. And the login page url is not need to be changed also, you can remember it easily. Now I will tell you how to do it.

1. Use CloudFlare Firewall Free Rules To Avoid /wp-login.php /wp-admin Attacks.

  1. First you should use CloudFlare CDN service to your web site (Read article CloudFlare Plus SSL To Make Your WordPress Fast And Secure ).
  2. Login to CloudFlare admin console.
  3. Click Firewall button at top navigation bar, then click Firewall Rules link under Firewall button.
    cloudflare - firewall - firewall rules - 1
  4. Create a new firewall rule by click Create a Firewall rule button.
  5. In the create new firewall rule page, enter Block bot request to /wp-login.php and /wp-admin in Rule name input text box.
    cloudflare - create - firewall rule - captcha
  6. Add two incoming request match condition, one is Field(URI) Operator(contains) Value(/wp-login.php), the other is Field(URI) Operator(contains) Value(/wp-admin). The two incoming request conditions are Or relation.
  7. Select Challenge(Captcha) in the bottom Choose an action drop down list. Click Deploy button to deploy it.
  8. Now when a client request /wp-login.php or /wp-admin, it will prompt a Captcha window to verify that the client is a human not a bots. All bots request are stopped at CloudFlare server and never arrive your original web server.
0 0 vote
Article Rating
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x