Title: Blocking Brute Force Attacks Last modified: August 21, 2016 --- # Blocking Brute Force Attacks * [patrickhealy](https://wordpress.org/support/users/patrickhealy/) * (@patrickhealy) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/) * I’ve set Wordfence to automatically block IP that tries to log in to my site with an invalid username. I have set it to block that IP for 60 days however I’m seeing that Wordfence is only blocking for 2 hours (the setting I have for fake google bots or those that ping my site too frequently. Am I missing something? * [http://wordpress.org/extend/plugins/wordfence/](http://wordpress.org/extend/plugins/wordfence/) Viewing 15 replies - 1 through 15 (of 20 total) 1 [2](https://wordpress.org/support/topic/blocking-brute-force-attacks/page/2/?output_format=md) [→](https://wordpress.org/support/topic/blocking-brute-force-attacks/page/2/?output_format=md) * [BeautyPirate](https://wordpress.org/support/users/beautypirate/) * (@beautypirate) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668589) * 2 hours is more than enough to make an automatic script stop. They would need CENTURIES to proceed at that speed. * Thread Starter [patrickhealy](https://wordpress.org/support/users/patrickhealy/) * (@patrickhealy) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668595) * I guess my point is, why bother letting me set it to 60 days if it doesn’t do it? I’m getting blasted by bots right now and I’d like to get a break from the emails I get every time one of them tries. * [Mark de Scande BlogLines](https://wordpress.org/support/users/bloglines/) * (@bloglines) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668601) * Hello There * I must give you my 2 cents * I feel your pain, i was also hit by a bunch of bots over the last 3 weeks super pain full, i have posted about it on [bloglines.co.za](http://bloglines.co.za/) i hope it helps killing all the bots. * As Side notes I have 1500 permanent ip blocks in CSF this seems to help * Thank you Kindly Mark * [JacobN](https://wordpress.org/support/users/jacobn/) * (@jacobn) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668630) * I’m not sure if you guys are aware, but there has actually be a recent large scale WordPress login brute force attack going on. * _[ Copy deleted. Please stop spamming the forums with your links. ]_ * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668631) * **[@jacobn](https://wordpress.org/support/users/jacobn/)** Could you please stop posting repeatedly that link and copy to your site? That’s called spamming and it’s not permitted here. * For advice about the brute force attack refer to this link. * [http://wordpress.org/support/topic/brute-force-attacks-and-wordpress?replies=2](http://wordpress.org/support/topic/brute-force-attacks-and-wordpress?replies=2) * Which has some really good and well vetted advice via this Codex article. * [http://codex.wordpress.org/Brute_Force_Attacks](http://codex.wordpress.org/Brute_Force_Attacks) * [JacobN](https://wordpress.org/support/users/jacobn/) * (@jacobn) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668632) * [@jan](https://wordpress.org/support/users/jan/) my apologies, I wasn’t trying to spam, if you read through the link it’s just trying to provide help for people having these issues. I had built my guide off of the reference material I had seen floating around a lot of places regarding this recent attack. * Most of our customers were struggling following codexs and other technical guides, so just thought others might also benefit from the easy steps with screen shots and what not. * I’ll go ahead and stop linking to it, as most people right now are just coming to it from Google searches, but figured people directly searching here might benefit as well. * Sorry again. * – Jacob * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668633) * Jacob, thanks I do appreciate your understanding and I know you had good intentions. 🙂 * But please, don’t do that again. If you want to assist people here that would be great and you’d be helping lots of people. You can see there’s many people who need assistance for WordPress related issues. * [JacobN](https://wordpress.org/support/users/jacobn/) * (@jacobn) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668634) * [@jan](https://wordpress.org/support/users/jan/), no problem at all. I’ll keep it to just text help going forward 🙂 * Thread Starter [patrickhealy](https://wordpress.org/support/users/patrickhealy/) * (@patrickhealy) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668641) * I’m very aware of the brute force attacks. Thank you for the reminder though [@jacob](https://wordpress.org/support/users/jacob/). Those attacks are what’s prompted me to tighten up the tolerance of them. If someone tries to sign into one of my sites with an invalid username or resets the password more than twice I want them blocked for 2 months. For whatever reason it’s only happening for 2 hours despite me adjusting the settings. * I’ve tried to block entire countries with another plugin but that doesn’t’ seem to be working. I see it works for others but not me. Don’t know why. I think if I can block China, Russia, Romania, and Germany I’ll get very little attacks. * [JacobN](https://wordpress.org/support/users/jacobn/) * (@jacobn) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668650) * Hey [@patrickhealy](https://wordpress.org/support/users/patrickhealy/), * I had linked to an article I wrote on protecting against these type of attacks, but WordPress doesn’t want external sources posted here. * Basically I’d recommend not relying on WordPress login limit or security plugins for this type of attack. If you’re on a Linux web-host, you can just use some simple **.htaccess** rules to block everyone out of your admin but yourself. * The current brute force attacks that have been taking place, are not POST’ing to the **wp-login.php** script with a proper referer being passed. So if you require a proper referer to be passed, this can block those. Then you can lock it down even further with IP allow rules to only allow yourself in. * If your domain name was **example.com**, and your IP addresses that needed to access the WordPress admin were **123.123.123.123** and **123.123.123.124** I’d recommend using these rules: * ``` RewriteEngine on RewriteCond %{REQUEST_METHOD} POST RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC] RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.124$ RewriteRule ^(.*)$ - [F] ``` * An even further level of protection would be to employ a secondary **.htaccess** password, you would want to fully password protect the **/wp-admin** directory, and then in your **.htaccess** file in the WordPress root directory you’d also add that password protection to your **wp-login.php** script with these rules: * ``` AuthType Basic AuthName "Secure Area" AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd" require valid-user ``` * Also using the **.htaccess** file you can Google for “country IP blocks” and then simply block entire countries that you don’t want to have access as well. * Once you start locking down and securing WordPress this way, I’d then recommend simply checking on your website’s access-logs every so often, if one IP has been continually hitting your **wp-login.php** script and getting 403 access denied errors from the **.htaccess** rules, you could then start to block them at your server’s firewall to prevent any further attempts from even making it to the site. * – Jacob * Thread Starter [patrickhealy](https://wordpress.org/support/users/patrickhealy/) * (@patrickhealy) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668658) * I called my host about this and they said to put that in place would do the job but it would severely slow down the performance of the site so I opted not to. Right now if someone tries to log in with an invalid user name they get blocked for a couple of hours. That will do the job for now but I get an email every time that happens from Wordfence (my option) so I can tell and the emails are just rolling in. It gives me anxiety. I’d rather just block the whole country since I’ll never do business with any of them. * [Mark de Scande BlogLines](https://wordpress.org/support/users/bloglines/) * (@bloglines) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668659) * [@patrickhealy](https://wordpress.org/support/users/patrickhealy/) * 1) Have you tried Cloudflare ? * 2) The emails i have no fix on them * Thank you Kindly Mark de Scande * Thread Starter [patrickhealy](https://wordpress.org/support/users/patrickhealy/) * (@patrickhealy) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668660) * [@mark](https://wordpress.org/support/users/mark/), ironically, I have that installed on one of my sites but for the life of me I can’t figure out a way to do the country blocking. That was actually my first choice but it isn’t clear as to how to do this. * [Mark de Scande BlogLines](https://wordpress.org/support/users/bloglines/) * (@bloglines) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668661) * [@patrickhealy](https://wordpress.org/support/users/patrickhealy/) * Hello there * 1) Log in To CloudFlare * 2) Click on Dash Boards * 3) Click on Threat control * 4) Add custom rule bottom of the page * 5) Type China and press Block * This about the easy way of doing it * I must say i use: * 1) CloudFlare (Security High) 2) CSF (Security High) 3) Mod_Sec (Standard Rule Set out the box) 4) PHP suhosin (Standard Rule Set out the box) 5) cPHulk Brute Force Protection (Standard Rule Set out the box) 6) WordFence (Security High) * Over all the systems are in place but if i don’t keep all my plugins and stuff up to date it will all be in vain. * So as a note if there is a up date dont think just press that button 🙂 * Thank you Kindly Mark de Scande Webmaster BlogLines.co.za * Thread Starter [patrickhealy](https://wordpress.org/support/users/patrickhealy/) * (@patrickhealy) * [13 years ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/#post-3668662) * Wow, they’ve updated the settings. It was never this easy. Thanks for the heads up. I’ve blocked a bunch of the bad guys. Let’s see if this tones things down. Viewing 15 replies - 1 through 15 (of 20 total) 1 [2](https://wordpress.org/support/topic/blocking-brute-force-attacks/page/2/?output_format=md) [→](https://wordpress.org/support/topic/blocking-brute-force-attacks/page/2/?output_format=md) The topic ‘Blocking Brute Force Attacks’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) ## Tags * [automation](https://wordpress.org/support/topic-tag/automation/) * [brute force attacks](https://wordpress.org/support/topic-tag/brute-force-attacks/) * [IP blocking](https://wordpress.org/support/topic-tag/ip-blocking/) * 20 replies * 9 participants * Last reply from: [qwerty_123](https://wordpress.org/support/users/qwerty_123/) * Last activity: [12 years, 1 month ago](https://wordpress.org/support/topic/blocking-brute-force-attacks/page/2/#post-3668782) * Status: not resolved