Protecting Login Page from Brute Force Login Attacks

If this site only allows 4 admins to login and does not allow any other visitors to register and post comments on the site then using the Simple Query String Login page protection code is the best solution for this site.

@mods – the post above needs to be delinked. The entire post is wrapped in an “a” tag. Thanks.

ya… our site only allows 4 admins to login and does not allow any other visitors to register but we do have allow comment from reader using disqus comment system in our site… does Simple Query String Login page protection code is still our best solution ???

I think so since Disqus only uses the WP Comment template & system and does not do anything related to WP login.

ok… let me try it. thank you again ??

sorry to bother u again… having some issue related this

I’ve added

// Simple Query String Login page protection
function example_simple_query_string_protection_for_login_page() {
$QS = ‘?mySecretString=foobar’;
$theRequest = ‘https://’ . $_SERVER[‘SERVER_NAME’] . ‘/’ . ‘wp-login.php’ . ‘?’. $_SERVER[‘QUERY_STRING’];

// these are for testing
// echo $theRequest . ‘
‘;
// echo site_url(‘/wp-login.php’).$QS.’
‘;

if ( site_url(‘/wp-login.php’).$QS == $theRequest ) {
echo ‘Query string matches’;
} else {
header( ‘Location: https://’ . $_SERVER[‘SERVER_NAME’] . ‘/’ );
}
}
add_action(‘login_head’, ‘example_simple_query_string_protection_for_login_page’);

to my themes function.php file and replace mySecretString=foobar with my own secret key. I’m also able to login through it… but it seems
that log in is still possible through wp-login.php

do I need to change or add anything else ???

This code will only allow you to access the wp-login.php page and login if you enter your Query String. If you have another plugin that is doing something with the login page and specifically with login_head then it could override this function and negate it.