Why we can't have nice things
27 August 2013

There are better ways to block brute force attacks against Wordpress (mod_security, carpet bombing), but if your host provider goes the .htaccess route then here are a couple of caveats to be mindful of.

First, pay attention to the order of statements. This

Order allow,deny
Allow from XX.XXX.XXX.X
Deny from all

won't work like you expect. You need to put the Allow statement at the end. In addition, there can be no space between

allow,deny

or again it will fail to work.

Using .htaccess can mitigate some small attacks, but it can quickly be overwhelmed so don't expect miracles. Sometimes you have to ride it out or employ other more drastic solutions (Special Forces, anthrax).