Protect your WordPress from Brute Force Attacks

Recently, there was a worldwide, highly-distributed Brute Force Attack on WordPress sites.

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed 'inelegant', they can be very successful when people use passwords like '123456' and usernames like 'admin'.
Due to the nature of these attacks, you may find your account's memory (because the number of http requests is so high) goes through the roof, causing performance problems.

Take the following measures to Protect your WordPress site:

1. Don't use the 'admin' username

2. Create secure passwords
Passwords should be at least eight characters containing lower-case letter, upper-case letter, number and special character ($, -, !).

3. Keep WordPress up to date
Keep your WordPress website secure by updating your install when updates become available. Updating ensures all of the latest patches and fixes are applied to your site.

4. Rename wp-login.php
You can use the following plugin: Rename wp-login.php

5. Plugins can be used to limit the number of login attempts made on your site, or block people from accessing wp-admin:

6. Deny Access to No Referrer Requests using .htaccess
Change to your domain. If you're using Multisite with mapped domains, you'll want to change to (|| and so on.

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

  • 33 Users Found This Useful
Was this answer helpful?

Related Articles

What does File Permissions "chmod" mean?

To chmod a file means to set certain permissions.By default, all files uploaded to the server...

How can I prevent my site from being hacked?

Typically, most sites are hacked because of poor passwords, older and exploitable software, or...

Block Bad Bots and Spiders using .htaccess

Below is a useful code block for blocking a lot of the known bad bots and site rippers currently...

I cannot access my website, email and FTP / Unban IP from firewall

Summary: Your IP address may be blocked. Go to IPChicken on the affected device and send us the...

GET/POST Security with .htaccess

Below is a useful code to block out some common exploits for GET/POST values with .htaccessSimply...