WP-Login produces 403 error.

We were forced to temporarily disable access to the wp-login.php script on some accounts that were being brute forced [bots guessing passwords via wp-login.php] hard enough to affect overall server performance for everybody.  This block only disables access to the admin and keeps the rest of your site online.

We would **strongly** suggest you follow the steps outlined below.  If you follow the directions outlined below you will not end up with a block put in place again as bots will not be able to find your log-in to be able to brute force it.  If you simply remove the block and take no additional steps it's possible that the block will be put back in place again. Directions to remove the block can be found at the bottom

This plugin is available directly from the WordPress plugin library via Dashboard -> Plugins -> Add New -> Search for "Rename wp-login.php" or can be downloaded to install manually at http://wordpress.org...ename-wp-login/.

 (If you have already installed the plugin please scroll to the bottom of this page)

We strongly advise you take a full backup of your database and/or your cPanel account prior to installing or configuring either of these plugins just in case.  It is possible if you're running an outdated version of WordPress, outdated plugins, or outdated themes that you could run into issues.

 

Once the "Rename wp-login.php" plugin is installed you can change the "wp-login.php" to anything you'd like without interfering with site functionality at all via the Settings -> Permalinks options:

2014-03-08_09-16-29.png

 

The option looks like this:

2014-03-08_09-17-16.png

 

In my case I simply changed it to "login-wp" but it really doesn't matter what you change it to as your wp-admin will redirect there automatically just as it would normaly do with the default wp-login.php.

 

We strongly advise you take a full backup of your database and/or your cPanel account prior to installing or configuring either of these plugins just in case.  It is possible if you're running an outdated version of WordPress, outdated plugins, or outdated themes that you could run into issues.

To gain access to your WPAdmin backend to make these changes it will probally be neccesary to remove the block that was put in place.  We created, if it did not exist, or appended to the /home/your-cpanel-username/.htaccess file the following lines:

 

This is not in /public_html/.htaccess.  It *is* in /.htaccess.

  1. # The following lines have been put in place by your hosting provider as your site was under a brute force dictionary attack.
  2. # You can provide yourself access to the wp-admin by adding an "Allow from" line with your IP address before the "Deny from all" line.
  3. # If you need to allow multiple users in you can remove the following lines entirely if you need or you can add multiple "Allow from" lines.
  4. #
  5. # If you have any questions about this at all, do please get with your hosting provider for support.
  6. #
  7. <Files"wp-login.php">
  8. OrderAllow,Deny
  9. # Uncomment the following line and change the number to your IP address. You can find your IP address at http://www.whatismyip.php/
  10. # Allow from 123.456.789.012
  11. Denyfrom all
  12. </Files>
  13. #
  14. #
  15. # End of brute-force block. If you do wish to remove the block entirely do not remove beyond this line.

You can remove the "#" from the beginning of the 10th line and change the number "123.456.789.012" to your IP address [ http://www.mddhostin.../whatismyip.php / http://www.whatismyip.php/ ]. This will permit you the ability to log into your WP-Admin while keeping attackers out.

You can make these changes via FTP in the "/" folder you will see a file called ".htaccess" or you can do it via the cPanel -> File Manager [also in "/"] but you may need to set it to show hidden files.

IMPORTANT
You will also want to add the following lines to the .htaccess of the site you renamed:

# Prevent the 404 system from answering bots
RedirectMatch 403 (.*)wp-login\.php$

What we have seen happen is that the bots will hammer the 404 page of the site just as much as the normal page.

If you have difficulty making changes to this file to install the wplogin utility please either reply to the notice or open a new ticket with us so we can assist.

  • 6 Users Found This Useful
Was this answer helpful?

Related Articles

Setting PHP Environment Variables

To set custom PHP Environment Variables such as register_globals, display_errors,...

My site is displaying a blank white page or HTTP Error 500!

Generally a blank white page when you expect content is a PHP error.  As we offer production...

I can't access the server but the server status says it's up.

Our servers are configured to block IPs based upon log-in failures to help protect your account...

PHP - Cannot modify header information - headers already sent by ...

This message means that your PHP script is sending data to the web browser before the headers and...

Cannot upgrade WordPress or a WordPress Plugin

Should you receive an error message about not being able to write or open a file in "/tmp" when...