Protecting against brute force attacks
-
Hi,
I’ve been having issues with brute force login attacks against my WP install for the past few months which have managed to bring the server down a couple of times. This is despite having BPS Security and Wordfence installed. Actually I’m not sure whether Wordfence could be part of the problem as it obviously take resources to check and block IPs in this way. Going by the ‘block’ records there can be many attempts from lots of different IPs within a short space of time.
So I was obviously interested by the ‘extra brute force protection’ code that popped up from BPS Security in my admin area and I added the following code to the htaccess wizard as you suggested:
# Protect wp-login.php from Brute Force Login Attacks based on Server Protocol
# All legitimate humans and bots should be using Server Protocol HTTP/1.1
RewriteCond %{REQUEST_URI} ^/wp-login\.php$
RewriteCond %{THE_REQUEST} HTTP/1\.0
RewriteRule ^(.*)$ – [F,L]I want customers to be able to login still so the IP based login restriction wasn’t right for me, but the above seemed to work. But still getting lots of brute force attacks I wondered whether there was anything else that could be done by the htaccess files to stop things getting as far as WordFence blocking.
After a search, I found a few interesting articles and put together the following code which I have also added to my htaccess wizard:
# Protect wp-login and wp-comments-post by checking referrer is own website
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ – [F,L]
</ifModule>As I understand it, this looks for the referrer when someone requests the login or comments pages and if it isn’t the website address (example.com above) then it blocks them. Nice that it works for both brute force login attempts against the WP login page and also against automated spam bots.
So I just wanted to paste the code here to get your opinion of whether it is likely to be useful, and whether it could be improved in any way? Could it be combined with the top code that you have already suggested perhaps?
It seems to be working for me – Wordfence has only blocked a couple of login attempts (with non-existent usernames) in the past couple of days, as opposed to countless before that (but this might just be a lull in the attacks?) Also the obviously automatically generated login attempts (usernames of admin and my domain name) seem to have stopped, the ones getting through to Wordfence seem to have more human generated usernames.
Thoughts, comments or suggestions gratefully received!
James 🙂
- The topic ‘Protecting against brute force attacks’ is closed to new replies.