Prevent Brute Force Attacks in WordPress

Posted on December 24th, 2019

A brute force attack is a trial-and-error method in which the hackers aim to gain access to a website by trying different combinations of usernames and passwords until they get in. These attacks focus on websites having weak security links. For example, these attacks mainly happen to a website using a weak username and passwords like ‘admin’ and ‘12345’.

Brute Force attack can run out of the server memory as the number of HTTP requests becomes high. Furthermore, this can lead to a performance issue on the website. The number of HTTP requests is the number of times someone visits our website.

How to Prevent Brute Force Attacks

These hackers hammer the ‘wp-login.php’ file over and over again until the website is accessible or the server dies. We can prevent brute force attacks using the following measures:

1) Always Use Unusual Username

In the early version of WordPress, the username ‘admin’ was a default, so the hackers assume that most of the people are using the same now. It is always advisable to change the username using the “Change Username” plugin. Try not to keep an easy username like “admin” or “administrator” or “boss”. Make sure it is unusual so that no one can guess your username.

2) Create Complex and Strong Password

It is always recommended to have a secure password, which prevents others from guessing your password and can avoid a brute force attack. There are many ‘automatic password generators’ available which can be used to generate a secure password. The WordPress password strength meter feature ensures the password strength is adequate while changing the same. The ‘Force Strong Password’ plugin can help users to set strong passwords.

Some of the things which need to be kept in mind while choosing a password are:

  1. Avoid using any permutation of your name, username, company name, or name of your website.
  2. Don’t use any word from a dictionary, in any language.
  3. Avoid using Short Passwords.
  4. Always try to use alpha-numeric passwords.

It is always recommended to enable “Two-Step Authentication” on your website for more security.

3) Use Security Plugins

There are many plugins available for WordPress to limit the number of login attempts made to the website like Limit Login Attempts, IP Geo Block, etc. Also, you can completely block someone from accessing wp-admin by using different plugins like Loginizer, WP Custom Admin Interface, Admin Menu Editor, etc.

4) Password Protect wp-login.php File

The password protection of your ‘wp-login.php’ file can add an extra layer of security to your site. For the same, you can create a ‘.htpasswd’ file. This file can be created under your public folder or in the same folder of .htaccess, but if you are adding it under the same folder as that of .htaccess, then you need to add some extra security to the .htaccess file.

After uploading the .htpasswd file to the server, you have to include it in the.htaccess file in order to protect some routes on your website. For instance, if you have uploaded the htpasswd file in the home directory containing asecretuser the user, add the following code to your htaccess file.

# stop Apache from serving .ht* files
<Files ~ “^\.ht”>
    Order allow, deny
    Deny from all
</Files>
# Protect wp-login.php
<Files wp-login.php>
    AuthUserFile ~/.htpasswd
    AuthName “Private access”
    AuthType Basic
    require user asecretuser
</Files>

The “AuthUserFile” location depends on your server, and also the “require user” details changes based on what username you pick.

By using the ‘HttpAuthBasicModule’, we can protect the wp-login.php file in Nginx by adding the following block inside your server block.

Location /wp-login.php {
    auth_basic “Administrator Login”;
    auth_basic_user_file .htpasswd;
}

The .htpasswd filename path is related to the ‘nginx.conf’ file and the files should be in the following format:

user:pass

user2:pass2

user3:pass3

The passwords must encode by function crypt(3), so you can use the ‘htpasswd generator’ to encrypt your password.

5) Limit Access to wp-login.php by IP

If you have a fixed IP address to log in to your Admin area, then you can deny wp-login.php access to others using ‘.htaccess’ or ‘web.config file’. This process is known as IP whitelist.

To allow only one IP address (e.g., 203.0.113.15) to access the admin area, you can create a file with the name .htaccess and add the following code:

# Block access to wp-login.php
<Files wp-login.php>
    order deny,allow
    allow from 100.00.00.01
    deny from all
</Files>

If you want to add pre than one allowed IP address, we can edit the .htaccess file as below.

# Block access to wp-login.php
<Files wp-login.php>
    order deny,allow
    allow from 100.00.00.01
    allow from 100.00.00.02
    allow from 100.00.00.03
    deny from all
</Files>

If you are using Apache 2.4 and Apache module, then the syntax is different:

# Block access to wp-login.php
<Files wp-login.php>
    Require ip 100.00.00.01
</Files>

To access the admin using multiple IP addresses in Apache 2.4, you can add:

# Block access to wp-login.php
<Files wp-login.php>
Require ip 100.00.00.01 100.00.00.02 100.00.00.03
# or for the entire network:
# Require ip 100.00.00.0/255.255.255.0
</Files>

6) Deny Access to No Referrer Requests

The Spam login attack can be prevented by adding the following block into the ‘.htaccess’ file.

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
    RewriteCond %{HTTP_REFERER} !.example.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]
</ifModule>

7) Blocklists

As per the study, most of the brute force attacks are from hosts from Russia, Kazakhstan, and Ukraine. So, we can block the IP-addresses that originate from these countries. We can download blocklists from the internet, and then we can load block rules with iptables using some shell scripting. Blocking an entire countries IP address cannot be done if your website is global; that time, you can add the well-known spammer’s IP-addresses to the iptables. This table needs to be updated regularly.

8) Cloud/Proxy Services

Some services like Cloudflare and Sucuri CloudProxy can help to reduce these attacks by blocking the IPs before they reach the server.

 

Conclusion: There is no actual way to make your site 100% hack-proof. It is because every day a new vulnerability is discovered and there is some difference between bug solution and update release. Use the tips given in this tutorial to protect your WordPress site from brute-force attacks. If you need our help, please comment down in the comment section. Or, if your site is under attack, please contact our support department for quick help!

Leave a Reply