Lately I’ve had a bunch of wordpress sites that seem to randomly come under brute-force attacks on their wp-login pages. One relatively simple solution is to password-protect the login file which will block the attacker from even trying to log in. Seems like a reasonable security measure that can be put in place. Use a htpasswd generator to create the .htpasswd file.
Add the code below to your root level .htaccess file, and make sure to change out the path to your .htpasswd file as necessary.
# START brute force protection ErrorDocument 401 "Unauthorized Access" ErrorDocument 403 "Forbidden" <FilesMatch "wp-login.php"> AuthName "Authorized Only" AuthType Basic AuthUserFile /path/to/.htpasswd require valid-user </FilesMatch> # END brute force protection