Website DIY - tricks and solutions

Brute force WordPress attack: how to login when locked out by your host’s security (401/406)

Knowledge level: Intermediate, use of FTP,  copy/rename/single line edit of a php file.

If you are unable to access your WordPress dashboard because the login page is blocked by e.g. a homepage redirect, or a 401 or 406 error;  it could be because your host’s server security has detected a brute force attack.

This article shows how to make a few simple changes which allow you to continue log in, whilst keeping your server’s brute force countermeasures.


This site  doesn’t have an “admin” user and uses the free Limit Login Attempts plugin  (recommended),  so login attacks have had little impact. This is no longer the case; the level of attack has increased;  and to prevent the site being slowed down or crashed by the volume of  login requests the server is frequently blocking all access (including mine) to the login page :

April 2013: WordPress sites are currently being attacked  on an unprecedented scale by botnets targeting the login page (wp-login.php ). This site reports receiving over 100,000 login attempts a day.

This attack affects both insecure AND secure sites; the volume of attempts has the potential to overload your server and slow or bring your site down DDoS style.   If you are still using the admin, or obvious user names you are also at high risk of being hacked.

Plugins alone are not the answer, they use resources and in a DDoS situation may contribute to server load; and due to the way IPs are used by this attack, plugins like Limit Login Attempts won’t protect you.

Countermeasures and their problems

Countermeasures have been quickly developed and adopted by decent server host providers.  Among other things, if  these detect high rates of login attempt then they “block” the log in page.   The objective is to prevent the slowing or the loss of your site by minimising the resources used in handling these attacks  (probably by generating a 401 or 406 error).  However, some hosts adopting countermeasures just redirect from the login page to the home page; this might reduce the risk of hacking but may increase server load and risk of site outage – code is executed to create the homepage and the response includes 100’s of kb of data.

Although these countermeasures may ensure your site remains available to your visitors, you may find that you are locked out from your dashboard.

How to regain access to your Dashboard

Note: Your host should be able to customise their servers ModSecurity/Countermeasures for your  site (or provide you with an .htaccess solution).  They will be able to disable the problem “rule” for you (not recommended); it may be possible to exempt you from the rule based on your IP, but if you don’t use a fixed IP it won’t be a complete solution.

The solution I adopted was to create a second “secret” login page that won’t be blocked.

I don’t believe in reinventing the wheel and used google; I eventually found a solution (in Spanish) from Nodonet.  I use it below, but also explain how to log-out, and why you should keep the original login page.

Use at your own risk, it works for me (WordPress 3.5.1)  but I don’t guarantee it is safe, or that it won’t mess up your site.  If possible back-up your site first.

  • Use FTP to download  a copy of your wp- login.php (usually located in the root directory ) and rename the copy to something of your choice. In this example we will name it loginz.php.
  • Edit  “loginz.php”;  search for the following (probably line 680):

<form name="LoginForm" id="LoginForm" action="<?php echo esc_url(site_url ( 'wp-login.php','login_post'));?> "method="post">

and change it to:

<form name="LoginForm" id="LoginForm" action="<?php echo esc_url(site_url ( 'loginz.php','login_post'));?> "method="post">

  • Upload “loginz.php” to your server. (Do not delete the original wp-login.php)

YOU NOW HAVE A SECRET LOGIN PAGE THAT WON’T BE BLOCKED BY SERVER SECURITY. Simply access it like any other page in the directory e.g. example.com/loginz.php


  • Log Out uses wp-login.php, and will likely fail for this reason.  To log out:

click log out, it will fail, but display a URL like this in your address bar hxxp://yoursite.com/wp-login.php?action=logout&_wpnonce=012345

edit the addressbar URL and replace “wp-login.php by the name of your secret logout page (e.g. loginz.php).

  • The Secret Login Page is a temporary solution,  the modified  login page may be incompatible with later versions of WordPress, and may even be deleted by WP updates (unlikely).
  • Why keep the original wp-login.php?  If it is deleted then any request for it will result in the serving of your 404 not found page; this will use more resources than a server security generated 401 or 406 error.
Enhanced by Zemanta

As always your feedback and suggestions are welcome.

1 Comment

  1. Daniel Brewers

    Dude, you’ve literally just saved my ass right now!
    Host blocked every access-point, and I needed to log-in ASAP.
    Your solution was the only one I’ve found, that did the trick
    Eternally grateful!

Leave a Reply

Your comment will appear after its approved; usually within 12 hours but can be up to a week.
Email is optional and never published. It will only be used to contact you if clarification of your comment is needed.

Copyright © 2013-2024 Webstuff.Inblighty.Com
This site recommends and is hosted by: Kualo Web Hosting.    
Theme: hemingway

Blog home  |  ↑ Top of Page ↑