How to: Prevent Bruteforce Login Attacks on Your WordPress Installation
We recently suffered a brute force login attack on one of my servers which was causing some sites to be unreachable and the server load was sky-high. After installing a logging script on the server we found out that the problem was caused on one installation of WordPress – hackers were using a script to try and guess the password of the admin account. After identifying the problem we were able to prevent this from continuing but not after some downtime to various websites resulting in a loss of income for my company.
In this post I’m going to talk you through a few methods to prevent this so the same doesn’t happen to you.
Change Admin Username
This is mentioned all the time, but it really is an important step – don’t use “admin” as your admin username, pick something unique for each site. This was the cause of the problem with my site, I had the admin username as admin so this was the main reason for the attack. Because the hacker knows the username is admin, they are half-way to getting the login details and can use a brute-force script to try many different passwords in combination with the username. If the username is something they don’t know, this type of attack is not really possible.
If you are using PHP hosting which most WordPress installations will do, you can use a .htpassword file and .htaccess to prevent anyone even loading your wp-login.php file unless they know the username and password to do so – this provides an extra layer of security as there is now two lots of username and passwords to access your WordPress admin area. This is fairly simple to setup, you will need to know the server path to your website which will be something like: home/website
First you need to generate a htpasswd, you can do that on this site. Enter a username, click “Generate Password” and then click “Generate htpassword content” and save the text from the right hand box as a file named .htpasswd ( with no extension ) and upload this to your hosting, outside the public_html directory.
Now you need to add the following to your .htaccess file which points to the location of your htpasswd file :
[php]# Stop Apache from serving .ht* files
&lt;Files ~ &quot;^\.ht&quot;&gt; Order allow,deny Deny from all &lt;/Files&gt;
# Protect wp-login
AuthName “Private access”
require user mysecretuser
Change “~/.htpasswd” to the location of your .htpasswd file and change “mysecretuser” to the username you chose when creating the htpasswd file.
Limit Access to Your Admin Area by IP Address
If you are the only person who needs access to your WordPress admin area and you have a static IP address, you can limit access to yourself only by adding a rule in an .htaccess file within your wp-admin directory. The code to use is :
# Block access to wp-admin. order deny,allow allow from x.x.x.x deny from all
Just change x.x.x.x for your actual IP address, which you can find out here.
There are a number of plugins you can use which will further enhance your login security, as follows.
Limit Login Attempts
This free plugin will allow you to block IP addresses if they get the password incorrect a number of times, you can set the allowed retries and the amount of time that IP address is blocked for. This is perfect for preventing brute force hacking attempts, you can also log the IP address and receive an email notification when a user is locked out.
Here you can see a log of the attempts that are blocked:
Rublon is a free plugin we have reviewed here on WPLift, it works by using “Two factor Authentification” to protect your WordPress login, you can setup trusted devices from which you can access the admin area such as your home PC, Work PC, phone and so on and it will deny logins from any other devices not on your “Trusted” list. It’s a a really solid plugin so highly recommend you check it out.
Rename wp-login.php is a very light plugin that lets you easily and safely change wp-login.php to anything you want. It doesn’t literally rename or change files in core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress website. The wp-admin directory and wp-login.php page become inaccessible, so you should bookmark or remember the url. Deactivating this plugin brings your site back exactly to the state it was before.
All In One WP Security & Firewall
Finally if you are looking for a complete security solution for your WordPress site you should take a look at this one. It has a large amount of features to completely secure yourself against attack :
- User accounts security
- User login security
- User registration security
- Database Security
- htaccess and wp-config.php File Backup and Restore
- Blacklist Functionality
- Firewall Functionality
- Brute force login attack prevention
- WhoIs Lookup
- Security Scanner
- Comment SPAM Security
- Front-end Text Copy Protection
There are a few ways to better secure your admin login from hackers – the easiest and most effective is to simply not use “admin” as your username – if you are then a highly recommend you change it now to something unique to your site. If your website is quite popular and you find you are still having problems with brute force attacks then using one of the methods or plugins from above should help even further.