Protect Your WordPress wp-login.php from Brute Force Attacks

Protect Your WordPress wp-login.php from Brute Force Attacks

WordPress Brute Force Attacks are the rise and it’s necessary to know that your website is secure. Nowadays several large scale WordPress wp-login.php brute force attacks, coming from a lot of compromised IP addresses spread across the world since April 2013.A large botnet of around 90,000 compromised servers has been attempting and break into WordPress websites by continually trying to guess the username and password to get into the WordPress admin dashboard. From choosing a strong WordPress admin password to restricting access to your site, there are quite a few tactics that can lower your risk of being compromised by a brute force attack. While we  HIGHLY recommend implementing as many security solutions as possible for WordPress. https://codex.wordpress.org/Brute_Force_Attacks The following guides would be a great first step in protecting yourself and your WordPress site from further attacks.

Recommended steps to lock down and secure WordPress

  1. Avoid username “Admin”
    The majority of attacks assume people are using the username ‘admin’ due to the fact that early versions of WordPress defaulted to this. If you are still using this username, please avoid that, make a new account, transfer all the posts to that account, and change ‘admin’ to a subscriber (or delete it entirely).
  2. Choose a strong password
    First and foremost, using a strong, uncommon password makes a significant difference.
    – 
    At least 8 characters total
     Mixture of upper and lower-case letters
     Numbers, punctuation or other non-alphanumeric characters A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.
  3. Use plugins that prevent Brute Force Attacks.
    Various plugins have been created to specifically protect from these types of attacks. Many of these plugins are available for free from the WordPress Plugin Directory. Again, always keep your WordPress installation and plugins up to date.
    https://wordpress.org/plugins/tags/brute-force/
  4. Password Protect wp-login.

    Restricting access to a section of your website files (wp-admin) so only those with the password are able to view it. Password protection can be enabled via the .htaccess file, .htpasswd will also have no prefix.

    You can either put this file outside of your public web folder (i.e. not in /public_html/ or /domain.com/, depending on your host), or you can put it in the same folder, but you’ll want to do some extra security work in your .htaccess file if you do.

  5. Protect wp-admin based on your IP.
    If you are the only person who needs to login to your Admin area and you have a fixed IP address, you can deny wp-admin access to everyone but yourself via a .htaccess file.

    error_page  403  http://example.com/forbidden.html;
    location /wp-admin {
      deny    192.168.1.1;
      allow   192.168.1.0/24;
      allow   10.1.1.0/16;
      deny    all;
    }

    Note: Beware your ISP or computer may be changing your IP address frequently, this is called dynamic IP address, rather than fixed IP address. This could be used for a variety of reasons, such as saving money. If you suspect this to be the case, find out how to change your computer’s settings, or contact your ISP to obtain a fixed address, in order to use this procedure.

  6.  Deny Access to No Referrer Requests
    Usually, when a user makes a comment on your page or is trying to log in as the WordrPess admin there is a referring URL. Spammers and hackers typically access these pages directly – without the referring URL. You can block traffic with no referrer by adding this code to your .htaccess:
    # Stop spam attack logins and comments

    <IfModule mod_rewrite.c>

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
    RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

    </ifModule>

  7. Rename wp-admin.php
    The wp-login.php plugin for WordPress has been demonstrating its ability to thwart attempts to compromise websites, with its many layers of protection.
    One the most important of these layers is the user login protection system. wp-login down your WordPress login against automated bots and brute force login attacks.
    It does this using simple techniques. Rather than use complex analyses of IP addresses and the like, it takes advantage of how humans use websites versus automated bots.
    The result is a highly effective system that protects WordPress websites like no other. So install any of them to protect your wp-login.php https://wordpress.org/plugins/search/rename-wp-login/

Leave a Reply