Protect your WordPress from Brute Force Attacks

Recently, there was a worldwide, highly-distributed Brute Force Attack on WordPress sites.

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed 'inelegant', they can be very successful when people use passwords like '123456' and usernames like 'admin'.
Due to the nature of these attacks, you may find your account's memory (because the number of http requests is so high) goes through the roof, causing performance problems.

Take the following measures to Protect your WordPress site:

1. Don't use the 'admin' username

2. Create secure passwords
Passwords should be at least eight characters containing lower-case letter, upper-case letter, number and special character ($, -, !).

3. Keep WordPress up to date
Keep your WordPress website secure by updating your install when updates become available. Updating ensures all of the latest patches and fixes are applied to your site.

4. Rename wp-login.php
You can use the following plugin: Rename wp-login.php

5. Plugins can be used to limit the number of login attempts made on your site, or block people from accessing wp-admin:

6. Deny Access to No Referrer Requests using .htaccess
Change example.com to your domain. If you're using Multisite with mapped domains, you'll want to change example.com to (example.com|example.net|example4.com) and so on.

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

Was this answer helpful?

Also Read

I cannot Access my Website / Unban IP from Firewall

If you can't access your website and email, this is most likely due to your IP address being...

How can I prevent my site from being hacked?

Typically, most sites are hacked because of poor passwords, older and exploitable software, or...

GET/POST Security with .htaccess

Below is a useful code to block out some common exploits for GET/POST values with .htaccessSimply...

.htaccess rules to Harden your website’s Security

Below you see a list of the important rules that you can add to your .htaccess file to harden...

Block Bad Bots and Spiders using .htaccess

Below is a useful code block for blocking a lot of the known bad bots and site rippers currently...