Web hosting companies all around the world are experiencing a substantial increase in the number of WordPress brute force login attempts.
Five important tips for blocking brute force attacks on WordPress are mentioned below:
Why provide the bots with a username?
Get rid of the ‘admin’ and ‘administrator’ user names from your WordPress installations.
Plugins are your best friends!
Use the following plugins for better security:
Captcha : No setup is required. This plugin is important for blocking the password guessing attempts.
Better WP Security : Some amount of setup is required. This plugin is essential for proactive security.
Rename wp-login.php Plugin Or Lockdown WP-Admin : Some setup procedure is required. It changes the login location and blocks the common login attempts. A better WP security provides with the same feature.
Botnet Attack Blocker : While transferring your wp-login.php is not an option anymore, this plugin keeps a check over the additional IP connections and blocks them in real-time.
BruteProtect : This plugin is an alternative to the Botnet Attack Blocker plugin. This plugin monitors the connections, saves the fake IP connections to the database of bad addresses and then blocks the respective IP addresses on your website. Although the WordPress hosting platform might also perform this task, it is important to have this plugin on board. This is a crowd sourced plugin, therefore if the IPs accessing your website are not present in the BruteProtect database; this plugin might not create an immediate effect in blocking the bad connections.
Use Pass-Phrases Instead Of The Strong Passwords : Plan on three or four words like websitedomain.password.thekeyphrase; this would need less memorization on your part and no bot will be able to figure out the 30 character password.
Disable ‘post’ Access To wp-login.php : In order to do this, you will have to add the following text to the top portion of your .htaccess file:
<ifmodule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?hackguard\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ – [F]
</IfModule>
All you have to do is replace ‘hackguard’ with your domain name and save the file. Make sure that you leave the ‘\’ in the right place before completing your ‘.com/net/etc.’ This text makes sure that no access is provided to the bots from posting against the default WordPress login script.
If The Option Mentioned Above Does Not Work For You, Then Try This : Rename The wp-login.php File : Rename the file to something like – wp-login456.php and then place a blank wp-login.php file in its place.
Once that is done edit this – /wp-includes/general-template.php
After that, replace all the wp-login.php text files with the new login file name. This modification prevents the bots from getting access of your login page; thereby reducing the MySQL loading of your server.
Nothing Is Working For You? Then Try This…
If you are the sole administrator and the changes to your IP address do not occur frequently, then try restricting the access to your login page only for yourself. Add the following code to the .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^0\.0\.0\.0$
RewriteRule ^(.*)$ – [R=403,L]
</IfModule>
Configuration Guidelines :
- Replace the 0.0.0.0 with your IP address (make sure to leave the slashes in place)
- Hint Google ‘what is my IP’ for getting your IP address
- Similarly, duplicate the ‘REMOTE_ADDR’ line with the other IPs that you want to access
- Or you can leave it at 0.0.0.0 in order to completely restrict access to everyone, including the bots that might be attempting to get in your website
