Knowledgebase

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed 'inelegant', they can be very successful when people use passwords like '123456' and usernames like 'admin.'

Brute Force Login attacks to wordpress sites are very common and there are ways to mitigate the problem. Please implement the plugins described below to help protect your website against these type of attacks. 

Step 1: Edit .htaccess File

The most common attack method is to post directly to the wp-login.php file. Entering the following code in your main .htaccess file will prevent this from being possible. Make sure you replace the example.com in the code with your domain name. 

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

Step 2: Install SI CAPTCHA Anti-Spam Plugin

The SI Captcha Anti-Spam plugin installs a CAPTCHA code into your registration and login forms to prevent auto bot posts to your forms. You can download the plugin by clicking here. 

1. Once installed, click on Plugins -> SI Captcha Options
2. Check the box beside "Enable CAPTCHA on the login form" and click Update Options

Step 3: Install Wordfence Security Plugin

The Wordfene Security Plugin is a firewall for your wordpress install. It will block IP addresses when they try to break into your site or try to flood your site. It will also scan your site files to watch for malicious files or changes to the wordpress core files. 

1. Once installed click on Wordfence in the side menu and choose Options
2. Complete the Basic Options by entering your email address ti receive alerts and Choosing the "Use Php's Built in REMOTE_ADDR ..." for the "How does Wordfence Get Ips" question
3. Click Save Changes
4. Under Advanced Options, you can choose what notices are sent to you as you wish. We recommend setting the following Login Security Options:
   1. Lock out after how many login failures - 3
   2. Lock out after how many forgot password attempts - 3
   3. Count failures over what time period - 5 minutes
   4. Amount of time a user is locked out - 5 Days
   5. Immediately lock out invalid usernames - Checked
   6. Don't let WordPress reveal valid users in login errors - Checked
5. Click Save Changes

For several more options and security enhancements please see the Wordpress site - Brute Force Attacks.