WordPress Brute Force Attack Prevention

What is a brute force attack?

Brute force attacks use bots to attempt to guess the administrative logins, often using repeated attempts in a short period of time to access your site. If your website has been compromised it could be used to distribute spam or malware. In a case at a previous employer, one of their early WordPress sites was breached and used to display porn advertisements.

Brute force botnet attacks against the login and admin sections of WordPress sites are now all too common. Even unsuccessful botnet attacks can bring a severe load on servers, causing your site to be sluggish. Hosting companies, especially for client sites on shared-hosting servers are likely to be unhappy, as this will affect other sites on the same server.

Requests from a vast number of different IP addresses, can be difficult to block, so how do you prevent a brute force attack to your login page?

Brute force prevention

Hosting security measures

Many hosting companies now have security measures that guard against repeated unsuccessful login attempts, to WordPress or Joomla admin pages. After several unsuccessful login attempts within a short time period, say 20 attempts within 15 minutes, further login attempts are redirected to a static page.

Limiting login attempts helps the hosting company to protect the sites of their customers and the stability of their servers.

Limiting WordPress login attempts

Login attempts and the access to the forgot password page can also be limited by the popular WordPress security plugin, Wordfence.

Wordfence gives you a bit more information about the origin of brute force attacks, revealing a user’s IP, hostname and the username that they tried to use.

You’ll find that the most common usernames attempted are admin and administrator, a further reminder that you should never use these.

Wordfence also allows you to block individual IPs, although I found this often lead to increased botnet attempts.

Two-factor authentication

A further way to protect your WordPress login, is with two-factor authentication, also known as mobile or cellphone sign-in. A SMS code is sent to your mobile, which you’ll need to enter to gain access to the admin area of your site. This option is available with the premium version of the Wordfence plugin. Two-factor authentication is now widely used in online banking.

 

WordPress login protection with Apache

Adding Apache password protection will stop bots from reaching your wp-login.php page at all. To password protect your login page you will need to make changes to an .htaccess file and enable folder protection within your website’s CPanel.

Here are the steps;

1. Modify the .htaccess file in the folder of your WordPress install. This folder will also have your wp-login.php file. You’ll need to enclose the Auth code with a Files directive. The example below is for the Plain authentication method.

<Files "wp-login.php">
AuthType Basic
AuthUserFile "/path_to_your_wp_folder/.htpasswd"
AuthName Limited!
require valid-user
</Files>

The path to your folder can be found by looking at your folder setup and is likely to be something like;

/home/www/www/wordpress/

2. Password protect the folder that contains the wp-login.php file of your WordPress installation. You should be able to password protect the folder through the Protection -> Web Access Protection section of your hosting Control Panel, although this may differ depending on your hosting setup. The example uses the Plain method, although you can also use the Digest method.

Once you’ve selected to protect the folder you’ll need to set a username and password. I’d advise using a secure password generator, setting the password to be 12 characters long with punctuation.

You’re advised to wait 15 minutes before attempting to log into your admin section.

500 error

If you see a 500 error, check the path to your WordPress folder in the .htaccess file. Again, you might need to look at your hosting folder setup to get the full path.

Use of Admin on your WordPress site

You’re advised to use Administrative accounts only when updating WP, plugins and other activities that need additional permissions. So try to keep posts published by non admin roles and your username as concealed as possible. Although from reading my own attempted login attempts, hackers seem to be able to find WordPress usernames fairly easily.

Limiting the sign in page to an IP range and country blocking can also be used to help in the defence against brute force attack, but I found the Apache password method more effective.