After yet another brute-force attack on our servers hosting WordPress sites today I finally decided it was time to take some drastic action. There are a number of different approaches you can take, this is what I did to block literally over 75,000 attacks against wp-login.php today.
Step 2: Add this to
# Whitelist countries allowed to access wp-login.php or wp-comments-post.php <FilesMatch "(wp-login|wp-comments-post)\.php$"> SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry SetEnvIf GEOIP_COUNTRY_CODE CN AllowCountry order deny,allow Deny from all Allow from env=AllowCountry ErrorDocument 403 "Forbidden." </FilesMatch>
(We have some clients in China who need to legitimately login to WordPress, so we included them in the whitelist). Adjust your whitelist / allowed country list appropriately.
apache service httpd restart and start watching the attacks get served up “Forbidden.” messages instead of hitting WordPress and database. Server load way down, yay! Sorry rest of the world, you can’t have our wp-login.php anymore.