Protecting WordPress wp-admin / wp-login.php areas against dictionary attacks and DDoS

For some time, large botnet installations have been attacking WordPress installations from many IPs, sometimes the number of attacking addresses was tens of thousands:

In theory, if you use a strong password, you should be safe – but there is one more reason to worry: these kinds of attacks can bring your server to a halt or make it very slow - since for every such request the server executes PHP code, connects and sends queries to the database and so on.

Is there any way to protect against it?

In our experience, we’ve seen quite a bit of similar attacks. There are at least to way to protect against them:

The drawback is that if some botnet decides to send thousands of queries to, it still goes through PHP and database processing and is likely to overloadload your server.

  • If you use pache - use a simple .htpasswd protection – this way, even if you’re loaded with queries to your login URLs, they won’t put much load on your server, since PHP won’t be interpreted. The code you have to add to your vhost config looks like below:

Note that it has to go to Apache configuration for a given vhost, and not .htaccess file.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.