How do I prevent bruteforce attacks against Wordpress on VPS hosting?

To make it easier to get in touch with us, from the 24th of March 2016 all support tickets will need to be submitted from your Crucial Control Panel.

A common attack vector on WordPress website is to continually access (hammer/bruteforce) the wp-login.php file over and over until the attackers get in or the server dies. You can follow the steps below to help protect yourself from the attack.

  1. Always use a strong password and do not make your password public. Things to avoid when choosing a password:
    • Any permutation of your own real name, username, company name, or the name of your website
    • Any dictionary words, no matter the language
    • A short password (less then 12 characters)
    • Any numeric-only or alphabetic-only password (a mixture of both is good, using special characters in addition is best)

  2. You can use the enforce strong password plugin to force users to set strong passwords. It can be installed using the following steps:
    • Automatic installation:
      • Log in to your WordPress admin panel
      • Navigate to the Plugins menu and click on Add New.
      • In the search field type "WooCommerce enforce strong password" and click Search Plugins.
      • Click Install Now.

    • Manual installation:
      • The manual installation method involves downloading the plugin and uploading it to your web server via your favorite FTP application
      • Download the plugin file to your computer and then unzip it
      • Using an FTP program, or your hosting control panel, upload the unzipped plugin folder to your WordPress installation's wp-content/plugins/ directory
      • Activate the plugin from the Plugins menu within the WordPress admin

  3. Limit Access to wp-admin by IP
    • If you are the only person who needs to login to your Admin area and you have a static IP address, you can deny the wp-admin access to everyone except for yourself via the .htaccess file.
    • Create a file called .htaccess in a plain text editor and add the code shown below to it, this will block access to the wp-admin folder:

      order deny,allow
      allow from x.x.x.x
      deny from all

    • x.x.x.x is your own public IP address which you can get using
    • Your public IP address may change if your ISP uses dynamic IP addresses

  4. Deny Access to No Referrer Requests
    • Whenever your readers comment, the wp-comments-post.php file is accessed from the page containing the post they commented on, and the post gets created. The user's browser will send a "referral" line about this.

    • When a spam-bot comes in, it hits the file directly and usually does not leave a referrer. This allows for some nifty detection and action directly from the server. If you are not familiar with the Apache directives, then write the following in your root directory .htaccess file:

      RewriteEngine On
      RewriteCond %{REQUEST_METHOD} POST
      RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
      RewriteCond %{HTTP_REFERER} !.** [OR]
      RewriteCond %{HTTP_USER_AGENT} ^$
      RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

    • This will:
      • Detect when a POST is being made
      • Check to see if the post is on wp-comments-post.php
      • Check if the referrer is in your domain or if no referrer
      • Send the spam-bot BACK to its originating server's IP address.

      • NOTE 1: In the 4th line, change to your without the www or any prefix for that matter.
      • NOTE 2: There is a slim chance that someone's browser will not send the referral, but this is extremely rare.

  5. Install the all in one WP Security plugin.
    Please see the plugin's website for more details

  6. Install mod security on the server and add the below code to the configuration file

    <IfModule mod_security2.c>

    # This has to be global, cannot exist within a directory or location clause . . .

    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR}
    <Location /wp-login.php>

    # Setup brute force detection.
    # React if block flag has been set.

    SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.'"

    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0"

    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"

    SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"


    If you're using ModSecurity 2.7.3, you can add the rules into your .htaccess file instead.

  7. If the issue still persists, sign up for CloudFlare which can also help mitigate these attacks by blocking the IPs before they reach your server.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Powered by Zendesk