Web hosting companies around the world continue to observe a radical increase in the number of WordPress brute force login attempts
By some accounts, over 100,000 unique IP addresses were involved in the April 2013 attack, much of which appear to be originating through compromised personal computers from various Internet service providers.
At that time, attackers appear to have been entering the username “admin” then attempting various passwords in an attempt to break into WordPress sites.
Times have certainly changed since 2013. Bad bots and hackers have even larger numbers of hacked websites and hacked computers at their disposal, ready to attack any target they choose any time they choose.
And while many web hosts have taken a proactive approach toward better securing their customer’s websites against hackers, there are still a number of ways you can better secure your site against hackers and bad bots.
What’s a bot? A bot may may reside on a computer or website. Bad bots are small programs written to execute one or many commands. Not all bots are bad. Google uses bots to crawl and index the Internet.
What makes a bot bad? Consider a bot written to simply visit a given website. Then consider the results of millions of bot visits to a given website from hundreds of thousand of different computers or websites. That’s the definition of a bad bot army!
Tips from The Hack Repair Guy on how to block brute force attacks
Why give bots a username to chew on?
Delete the “admin” username from your WordPress installations.
Plugins are a man’s best friend.
WordPress plugins like Wordfence or Jetpack BruteProtect may help to mitigate some attacks against your website.
Forget what every “security expert” has told you about passwords and use pass-phrases instead.
Decide on a standard set of words to make a phrase you can remember in a pinch. Think of special characters like $ or & as words.
Here is an example of a password phrase you might use for your website logins:
thewebsiteaddress@thewebsiteownersname$amemorablenumber
For this website, mine might be: hackrepair.com@JimWalker$2000
Less memorization on my part, and very unlikely a bot will ever figure out my fairly random 30+ character password.
Disable direct posting against your wp-login.php. Add this text to the bottom of your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?hackrepair\.com[NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ – [F]
</IfModule>
Just replace hackrepair with your domain, and save.
Bots are not very smart. A bots purpose is to brute force hundreds if not thousands of connections in a short span of time. The text above simply blocks bad bots from directly “posting” usernames and passwords combinations against your default WordPress login page.
Administrators or subscribers logging in through the WordPress login page will not be blocked.
This method is a lot less impactful on a client’s daily process than most and no additional steps are required, making this the easiest login attack mitigation method to implement.
If on the other hand, you find that this surgical approach in blocking bad bots from posting against your login page URL does not fully meet your needs, try one of the other options below.
Is there a most recommended solution to block bad bots?
Yes! If are you the only administrator and your IP address rarely or never changes, then this tip is for you. Add this to the top of your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xxx.xx.xx.xxx$
RewriteCond %{REMOTE_ADDR} !^xxx.xx.xx.xxx$
RewriteRule ^(.*)$ – [R=403,L]
</IfModule>
Just replace the xxx.xx.xx.xxx entries with your IP addresses. Whoala! Bots go Bye Bye
For other bad bot blocking alternatives, see my article, How to Block Bots from Seeing your Website – Bad Bots and Drive-by Hacks Explained.
Plugins attempt to solve the problem within the problem.
In moderate to low traffic situations, a plugin will likely fit the bill. A well-managed server will do most of the fire-walling as well, blocking the most egregious of repeated password attempts, allowing plugins to sweep out the rest. This is why well-regarded security plugins and plugins like Limit Login Attempts will generally do the job nicely. Fire, forgot, go to lunch….And then there is the next level of attacks. 350k hits on a login page using a solution “inside the problem” will likely cause perceivable slowness on a site, or worst if multiple websites sharing the same server are all being hit the same way.
And then there is the next level of attacks. 350k hits on a login page using a solution “inside the problem” will likely cause perceivable slowness on a site, or worst if multiple websites sharing the same server are all being hit the same way.
So let’s get outside of the problem… with Content Distribution Networks (CDN).
The free Cloudflare plan may help greatly, and if you can spare a few extra dollars, MaxCDN is an excellent alternative as well.
Below is a presentation I gave to an audience of advanced WordPress folks in a San Diego Meetup group. Listen in on “How to use Cloudflare to better protect your website against denial of service attacks“:
A Web Application Firewall (WAF), or vulnerability patching firewall, is another solid consideration when considering ways to block bad bots and hackers. I encourage you to check out StopTheHacker or Sucuri (both $200’ish per year). WAF’s work outside your site, effectively filtering most of the bad traffic from reaching your website.
My personal favorite free option for blocking login related attacks uses password protection. Most websites can leverage a web server’s built-in authentication and authorization feature.
While number 4 (disabling direct access to wp-login.php) and number 5 (restricting access to your login page to only your IP address) are solid .htaccess tricks, using a username and password authentication window, which executes before PHP scripts are executed, is a fantastic way to limit the harm done by random bad bots and more aggressive WordPress login attackers.
I hope you’ve enjoyed this article and found it helpful. If you have any questions please feel free to call me anytime. I’m here to help.
2 Comments
xxx says
Great blog right here! Also your website loads up very fast!
What web host are you using? Can I get your affiliate
link in your host? I desire my web site loaded up as quickly
as yours lol
Jim Walker says
Thank you.
Host is https://TVCNet.com