Prevent Wordpress brute force attacks

A brute force attack is also sometimes called a dictionary attack. The hacker is trying to guess the password using the automated software, which floods your website with requests every couple of seconds. This is a waste of your resources and if password is not strong enough eventually the hacker will compromise the website.

The easiest way is to check the web server access logs for all the IP addresses, which successfully connected to the wp-login.php with HTTP response of 200 OK. Apache web server reports the successful logins like this:

POST /wp-login.php HTTP/1.1“ 200

If you are running Apache web server: Login to the server via SSH. Go to the /var/log/httpd Run the command below:

cat access_log | egrep -v 'HTTP[^”]*“ (200|204)' | grep wp-login.php

Example results, with the IP address of the attacker, who attempted to get to the wp-login.php page:

115.159.126.184 - - [12/Apr/2020:04:30:49 +0000] “POST /wp-includes/modules/wp-login.php HTTP/1.1” 404 230 ”-“ “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36”

A CDN would be able to filter the brute force attacks to at least slow down the attacker on the DNS level. This would put less strain on the server resources. If you dont want to use their Name Servers for your domain, you can use their Wordpress plugin.

• Sucuri CloudProxy
• CloudFlare

Name your admin user daisy or something non generic to limit dictionary/guess attacks. Use a strong non-dictionary password.

Create .htaccess file, which will prevent access to the admin area only to the whitelisted IP addresses. This approach will cause some strain on the server resources as the web server have to process every request against the IP address(es) added to the whitelist.

There is a reason why this is the last resort on our list. Plugins can malfunction during upgrades, they also put some additional stress on your server resources.