For folks who DO NOT want/allow anyone else to login/register to their website.
This .htaccess code will protect your WordPress Login page from Brute Force Login Attacks based on IP address, but keep in mind if you are allowing folks to login to your website then they will not be able to login. This .htaccess code is for folks who do not allow anyone else, but themselves to login to their website. You can of course add additional IP address octets to allow other folks access to your login page.
IMPORTANT NOTES: You will find your Server / Website IP Address and Public IP / Your Computer IP Address on the BPS System Info page.
# Protect wp-login.php from Brute Force Login Attacks <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from example.com # Add your website/Server IP Address Allow from 69.200.95.1 # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65.100.50. </FilesMatch>
For folks who DO want to allow other folks to be able to login/register to their website.
This will block/Forbid around 98% of automated Brute Force Login hacking attempts since typically Server Protocol HTTP/1.0 is used in these automated Brute Force Login Attacks.
# Protect wp-login.php from Brute Force Login Attacks based on Server Protocol
# All legitimate humans and bots should be using Server Protocol HTTP/1.1
RewriteCond %{REQUEST_URI} ^/wp-login\.php$
RewriteCond %{THE_REQUEST} HTTP/1\.0
RewriteRule ^(.*)$ - [F,L]
How to add/use this Brute Force Login Protection Code on your website
If you have BPS or BPS Pro installed this custom .htaccess code goes in the CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here text box. After adding this custom code click the Save Root Custom Code button, go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode again.
To reverse the process (remove/delete the code from your root .htaccess file) you would delete the code from the CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here text box, click the Save Root Custom Code button, go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode again.