• Skip to primary navigation
  • Skip to main content

Managed WordPress Security for Pennies a Day. Call (619) 479-6637

Managed WordPress Security with Heart

MENUMENU
  • Why HackGuard.com? Why Choose HackGuard.com?
  • HackGuard.com WordPress Managed Services Rates WordPress Managed Services Rates
  • HackGuard.com Articles HackGuard Articles Library
    • Hack Guard Customer Testimonials
    • Top 20 WordPress Plugins to Avoid
    • How to Improve Junk Email Filtering at Gmail
    • WordPress 6.0.3 Security Release – Updated?
    • Why Should I Maintain My Own WordPress Website’s Backups?
    • About that “Weekly jQuery Migrate Status Update” email
    • How to Change a WordPress User from Subscriber to Administrator Role
    • WordPress 4.9.3 – Going into the tunnel and never coming out…
    • How Do I Migrate WordPress to a Different Domain Name?
    • Community Blogging: A Short Guide
    • WordPress Troubleshooting and How to Fix WordPress Errors
    • Is My Web Host Secure? Maybe not…
    • How to remove the subdirectory name from your WordPress website address
    • How can I improve the performance of my WordPress website?
    • How can I improve the performance of my WordPress blog (Part 2)
    • Protecting WordPress Against Brute Force Attacks
    • How do I reset my WordPress password?
    • How To Clear Cron Jobs in WordPress
    • xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My!
    • Free Website Monitoring Services, well, mostly free...
    • How to choose a secure web hosting company for a WordPress website
    • WordPress 404 Page Setup - Do You Have Five Minutes?
    • Can mod_pagespeed Improve Page Load Speed (external link)?
    • Yoast WordPress SEO Settings and Recommendations
    • Is Your Mom Missing Her BUMM?

Protecting WordPress Against Brute Force and Denial of Service Attacks

Web hosting companies around the world are seeing a radical increase in the number of WordPress brute force login attempts.

What is this article about?

My goal in writing this article is to provide tips on how to secure your website against brute force attacks.
My password is
Your neighbor may be attempting to hack your website at this very moment!

The days of mass denial of service attacks originating from Asia or Europe seem to have been overshadowed by PC hacks originating in the good ol’ US of A. By some accounts, over 100,000 unique IP addresses were involved in the April 2013 attack, a good majority of which appeared to be originating through compromised PC’s in North America.
Five tips to block brute force attacks (from easiest to maybe a bit paranoid)

 

1. Why give bots a username to chew on?

Delete the “admin” and “administrator” usernames from your WordPress installations.

 

2. Plugins are a man’s best friend.

WordPress plugins like these are well regarded options:

  • Botnet Attack BlockerCaptcha by BestWebSoft – zero setup required. Blocks password guessing attempts.
  • Wordfence or iThemes Security. Some setup required. Proactive security is key!
  • Botnet Attack Blocker – When moving or changing your wp-login.php is not an option, this plugin monitors for excessive IP connections and blocks them in real-time.
  • BruteProtect – Alternative to Botnet Attack Blocker. This plugin monitors connections, saves the bogus IP connections to their database of bad addresses then auto blocks those same bad IP addressees on your website. Because this is essentially a crowd sourced plugin, if the IP’s hitting your site are not in the BruteProtect database this plugin may not have an immediate effect in blocking bad connections.

 

3. Forget what every security expert has told you about passwords and retrain your brain to use pass-phrases instead. Decide on three or four words, like, sitedomain.password.yourkeyphrase Less memorization on my part, and no bot is going to figure out my 30 character password, unless I remove my tin foil cap. They can Bite my shiny metal…

 

4a. Disable “post” access to wp-login.php by adding this text to the top of your .htaccess file:

<ifmodule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?hackguard\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</ifIfModule>

Stop WordPress wp-login.php Attacks
Just replace hackguard with your domain, and save. Be careful to leave that “\” in place before your .com/net/etc. This text simply prevents bots from “posting” against the default WordPress login script.*

*Rumor has it that while this post blocking will stop most WordPress brute force attacks instantly, you cannot use this on a website which requires registration confirmation via a link back to your blog.

 

4b. If the above .htaccess edit does appear to be blocking connections as well as hoped then try this last resort option: – Rename your wp-login.php file to something like wp-login123.php, then place a blank wp-login.php file in it’s place.

Then edit /wp-includes/general-template.php

and replace all wp-login.php text with your new login file name. This change prevents bots from connecting to your login page, thus reducing MySQL loading of your server.

*Just remember, your changes will be overwritten the next time you upgrade WordPress.

 

5. How do I restrict access to my WordPress login page?

If you are the only administrator and your IP address rarely or never changes, then try restricting access to your login page solely to you. Add this to the top of your .htaccess file:


RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^0\.0\.0\.0$
RewriteRule ^(.*)$ - [R=403,L]

Configuration:

  • Just replace 0.0.0.0 with your IP (careful to leave the slashes in place).
  • Hint: Google “what is my IP” to get your IP address.
  • Likewise, duplicate the REMOTE_ADDR line with other IP’s you wish to give access too.
  • Or leave at 0.0.0.0 to fully block access to everyone, including that army of evil bots who may be attempting to break down your front door at this very moment.

And Voilà!  Bots go Bye Bye!

 

6. How do I block a range of IP addresses?

Sadly, there may come a time when you simply need to block one or a range of IP addresses. The solution is simple enough. Just add this to the top of your .htaccess file:


# Block Mass IP Connections
<Limit GET POST PUT>
 order allow,deny
 allow from all
 deny from 0.0.0.0
 deny from 0.0.0.
</Limit>

Configuration:

  • Replace 0.0.0.0 with the offending IP address.
  • Blocking a range of IP addresses, between for example 0.0.0.1 through 0.0.0.256 requires simply removing the fourth number and leaving the trailing period (.)


And Enjoy!


I’ve posted a few basic article links below. Likewise, if you have questions just pick up the phone and call anytime, Jim Walker, The Hack Repair Guy, (619) 479-6637

  • How to Block Bots from Seeing your Website – Bad Bots and Drive-by Hacks Explained
  • xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My!
  • WordPress Security Plugins Revealed

HackGuard.com | Managed WordPress Update Service

 

Share me:

  • Tweet
  • Email
  • Print

Like this:

Like Loading...

Filed Under: Call (619) 479-6637

Reader Interactions

Please feel free to comment via WordPress, Twitter, Facebook or Google+ Cancel reply

Proactive WordPress Security Management for Pennies a Day™

© Copyright 2022 HackGuard.com™, HackRepair.com™,
The Hack Repair Guy™, Hack Repair Guy™
Copyright and Trademark Statement | Privacy Policy

Call HackRepair.com for website security help, (619) 479-6637.
Content Approved By Jim Walker, The Hack Repair Guy
%d bloggers like this: