Recently, there was a worldwide, highly-distributed Brute Force Attack on WordPress sites.
Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed 'inelegant', they can be very successful when people use passwords like '123456' and usernames like 'admin'.
Due to the nature of these attacks, you may find your account's memory (because the number of http requests is so high) goes through the roof, causing performance problems.
Take the following measures to Protect your WordPress site:
1. Don't use the 'admin' username
2. Create secure passwords
Passwords should be at least eight characters containing lower-case letter, upper-case letter, number and special character ($, -, !).
3. Keep WordPress up to date
Keep your WordPress website secure by updating your install when updates become available. Updating ensures all of the latest patches and fixes are applied to your site.
4. Rename wp-login.php
You can use the following plugin: Rename wp-login.php
5. Plugins can be used to limit the number of login attempts made on your site, or block people from accessing wp-admin:
- BruteProtect
- Limit Login Attempts
- Lockdown WP Admin
- WP Fail2Ban
- Admin Renamed Extended
- Enforce Strong Password
- Wordfence Security
- 3WP Activity Monitor
- All in one WP Security
6. Deny Access to No Referrer Requests using .htaccess
Change example.com to your domain. If you're using Multisite with mapped domains, you'll want to change example.com to (example.com|example.net|example4.com) and so on.
# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>