Web hosting companies around the world are seeing a radical increase in the number of WordPress brute-force login attempts.
My goal in writing this article is to provide tips on how to secure your website against brute-force attacks.
Your neighbor may be attempting to hack your website at this very moment!
The days of mass denial of service attacks originating from Asia or Europe seem to have been overshadowed by PC hacks originating in the good ol’ US of A. By some accounts, over 100,000 unique IP addresses were involved in the April 2013 attack, a good majority of which appeared to be originating through compromised PC’s in North America.
Five tips to block brute force attacks (from easiest to maybe a bit paranoid)
1. Why give bots a username to chew on?
Delete the “admin” and “administrator” usernames from your WordPress installations.
2. Plugins are a man’s best friend.
WordPress plugins like these are well regarded options:
- Wordfence or iThemes Security. Some setup required. Proactive security is key!
- Botnet Attack Blocker – When moving or changing your wp-login.php is not an option, this plugin monitors for excessive IP connections and blocks them in real-time.
- BruteProtect – Alternative to Botnet Attack Blocker. This plugin monitors connections, saves the bogus IP connections to their database of bad addresses then auto blocks those same bad IP addressees on your website. Because this is essentially a crowd sourced plugin, if the IP’s hitting your site are not in the BruteProtect database this plugin may not have an immediate effect in blocking bad connections.
3. Forget what every security expert has told you about passwords and retrain your brain to use pass-phrases instead. Decide on three or four words, like, sitedomain.password.yourkeyphrase Less memorization on my part, and no bot is going to figure out my 30 character password, unless I remove my tin foil cap. They can Bite my shiny metal…
4a. Disable “post” access to wp-login.php by adding this text to the top of your .htaccess file:
<ifmodule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?hackguard\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</ifIfModule>
Just replace hackguard with your domain, and save. Be careful to leave that “\” in place before your .com/net/etc. This text simply prevents bots from “posting” against the default WordPress login script.*
*Rumor has it that while this post blocking will stop most WordPress brute force attacks instantly, you cannot use this on a website which requires registration confirmation via a link back to your blog.
4b. If the above .htaccess edit does appear to be blocking connections as well as hoped then try this last resort option: – Rename your wp-login.php file to something like wp-login123.php, then place a blank wp-login.php file in it’s place.
Then edit /wp-includes/general-template.php
and replace all wp-login.php text with your new login file name. This change prevents bots from connecting to your login page, thus reducing MySQL loading of your server.
*Just remember, your changes will be overwritten the next time you upgrade WordPress.
5. How do I restrict access to my WordPress login page?
If you are the only administrator and your IP address rarely or never changes, then try restricting access to your login page solely to you. Add this to the top of your .htaccess file:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^0\.0\.0\.0$
RewriteRule ^(.*)$ - [R=403,L]
Configuration:
- Just replace 0.0.0.0 with your IP (careful to leave the slashes in place).
- Hint: Google “what is my IP” to get your IP address.
- Likewise, duplicate the REMOTE_ADDR line with other IP’s you wish to give access too.
- Or leave at 0.0.0.0 to fully block access to everyone, including that army of evil bots who may be attempting to break down your front door at this very moment.
And Voilà! Bots go Bye Bye!
6. How do I block a range of IP addresses?
Sadly, there may come a time when you simply need to block one or a range of IP addresses. The solution is simple enough. Just add this to the top of your .htaccess file:
# Block Mass IP Connections
<Limit GET POST PUT>
order allow,deny
allow from all
deny from 0.0.0.0
deny from 0.0.0.
</Limit>
Configuration:
- Replace 0.0.0.0 with the offending IP address.
- Blocking a range of IP addresses, between for example 0.0.0.1 through 0.0.0.256 requires simply removing the fourth number and leaving the trailing period (.)
And Enjoy!
I’ve posted a few basic article links below. Likewise, if you have questions just pick up the phone and call anytime, Jim Walker, The Hack Repair Guy, (619) 479-6637
- How to Block Bots from Seeing your Website – Bad Bots and Drive-by Hacks Explained
- xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My!
- WordPress Security Plugins Revealed
