WordPress Brute Force Attack

This how to article is in reference to WordPress, however, it can easily be adjusted for any php based authentication system.

Background:
If a bots are hitting your site to gain access to a user account, generally it is the “admin/administrator” account, your server could be at risk of crashing, slowing down, or exposed to unauthorized entry.

What is a bot? It’s a computer program running on infected internet servers and home computer users alike. Little service programs (robots) designed to work hard at generating user names and passwords directed at a login page. Once access is granted, the bot reports back to the owner with the site address and login credentials.

Even some WordPress users of your site’s blog can upload files to the server. If a hacker gets one of these passwords, they can upload their malware scripts. Bots can do this to. This is a very serious threat to your site’s performance and security alike.

Most of these bots are simple POST actions without GET requests. Normal users either click on the “login” link on your site, or go to the bookmark page, and even may just type your site in the browser. At that time, they enter the user name and password, then click “submit” or “log in”. That button action is the actual POST. But the GET came before the POST.

With that in mind, a very simple rule will protect your site from the most common brute force attacks hitting your WordPress login offering you a very solid amount of protection.

Add the follow section of code above the # BEGIN WordPress line in your WordPress document root directory.

# Make a backup of your .htaccess FIRST. Then test your site. If something isn’t working properly, you can restore your backup file.

RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?m3server\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
#RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.124$
RewriteRule ^(.*)$ - [F]

In the example above, replace www.m3server.com with your site’s domain name. If your site redirects to the www version, use that. Some examples could be:
www.your_domain.com
your_domain.com
blog.your_domain.com

Note the line that is disabled (commented out with #). You can enter your IP in that location if it is static or otherwise doesn’t change often for extra protection. WordPress is more so used now for designing and building web sites and therefore are not actual blog systems with users authenticating.

The more sites you have on your server, the greater load your server is already under, the more important it is for you to use this simple protection.

Leave a Reply