Brute force attacks

Bots mostly, they’re a part of online life, like comment and email spam.

Bots will go around, hitting most login forms directly, trying popular username and password combinations, hoping to get in.

As long as you have a great password, you don’t have to worry about them getting in.

There are plugins to stop this, but I don’t recommend any of them, as that still puts load on your server. They generally won’t get in past these plugins, but the plugins still need to do the work of identifying and processing the hit.

Instead, add this to your .htaccess access file:

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*(example.com|jetpack.wordpress.com).* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

Replace example.com with your site, and if you aren’t using Jetpack Comments, remove “|jetpack.wordpress.com”.

This will not only block direct hits to your login and comment forms (which normal humans don’t do), it will also redirect them back to their “home” for an extra ounce of revenge. 😉

Via http://halfelf.org/2013/wp-login-protection-htaccess/

I suggest plugin over direct editing any of the files.

Generally, I’d say the same, but not in the case of BruteForce protection. As mentioned above, “There are plugins to stop this, but I don’t recommend any of them, as that still puts load on your server. They generally won’t get in past these plugins, but the plugins still need to do the work of identifying and processing the hit.”

Just to clarify, the .htaccess bit above will protect wp-login.php from direct hits, which is how most brute force attacks are carried out. It blocks them at the server level, rather than allowing them to reach a plugin, which will need to run via PHP, process the hit, and then query the MySQL database for any matches to existing blocks.

Essentially, it’s the difference between a door that is already closed to certain traffic (the .htaccess rule), and a door that is always open with a single security guard who needs to check each person as they enter (the plugin).

You’re welcome!

If it’s working, and you have no trouble access your site in a variety of browsers, I’d say you did the right thing. 🙂

I’m not sure personally, Akismet should be catching most if you’re using that.

A while back, I switched off Trackbacks and Pingbacks and have been blissfully Trackback and Pingback spam free, since it had been years since I received a legitimate Trackback or Pingback anyway. 🙂

You can set the default to turn those off for future posts/pages by unchecking “Allow link notifications from other blogs (pingbacks and trackbacks)” at Settings -> Discussion in your blog’s Dashboard.

For existing posts/pages, you’ll need to edit them and uncheck “Allow trackbacks and pingbacks on this page” in the Discussion box below the editor. If you don’t see the Discussion box below the editor, click the Screen Options tab near the top-right and check “Discussion.”

If you have a ton of posts, http://wordpress.org/plugins/wp-disable-comments/ and http://wordpress.org/plugins/simple-trackback-disabler/ look promising, but backup first: http://codex.wordpress.org/WordPress_Backups