Brute force attack (5 posts)

  1. ducktoes
    Posted 1 year ago #

    My site and two of my client sites are under brute force attack. Someone or a group of someones are constantly trying to login. I took away the admin user and they keep trying to get in with that anyway, several times a day. I have it lock down for a few hours on the real logins. Do you think this will go on forever? Is there anyway I can change the login page to a different page they can't guess?
    That's my site.

  2. James Huff
    Volunteer Moderator
    Posted 1 year ago #

    Brute-force attacks last for a while, but never forever. I have mitigated most of the ones directed towards me with the following in my .htaccess file:

    <IfModule mod_rewrite.c>
    	RewriteEngine On
    	RewriteCond %{REQUEST_METHOD} POST
    	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
    	RewriteCond %{HTTP_REFERER} !.*(example.com|jetpack.wordpress.com).* [OR]
    	RewriteCond %{HTTP_USER_AGENT} ^$
    	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

    Just replace "example.com" with your domain, and if you aren't using Jetpack Comments, remove "|jetpack.wordpress.com".

    This prevents bots from directly hitting wp-login.php and wp-comments-post.php, which is how most bot-based brute-force and comment-spam attacks are carried out.

    You can add additional protection with brute-force plugins, like http://wordpress.org/plugins/bruteprotect/

    A word of warning, start with the .htaccess change. If you put the full load of the brute-force attack on a plugin, you will actually be doing more harm than good, as WordPress must now process every attempt to decide if it is brute-force. If you start with the .htaccess change, you will block most brute-force attacks at the gates and leave the plugin to catch any that got through.

  3. RossMitchell
    Posted 1 year ago #

    Good advice @Mac
    After you have addressed .htaccess you need to add a security plugin.

    There are many security plugins like "wordfence" and "All in one WordPress security" among others that help with brute force attacks. Suggest that you install one of these. My experience with attacks is that they come in cycles, you run hot, then you run cold.

  4. ducktoes
    Posted 1 year ago #

    Thank you for your help. If I use this .htacess code, will I need to login myself in a different way?

    Also I installed Securi, that's how I know I'm getting so many failed logins.

  5. James Huff
    Volunteer Moderator
    Posted 1 year ago #

    Yes, make sure you log in from example.com/wp-admin/ and don't go to wp-login.php directly, sorry for not mentioning that!

Topic Closed

This topic has been closed to new replies.

About this Topic