We recently suffered a brute force login attack on one of my servers which was causing some sites to be unreachable and the server load was sky-high. After installing a logging script on the server we found out that the problem was caused on one installation of WordPress – hackers were using a script to try and guess the password of the admin account. After identifying the problem we were able to prevent this from continuing but not after some downtime to various websites resulting in a loss of income for my company.
In this post I’m going to talk you through a few methods to prevent this so the same doesn’t happen to you.
CHANGE ADMIN USERNAME
This is mentioned all the time, but it really is an important step – don’t use “admin” as your admin username, pick something unique for each site. This was the cause of the problem with my site, I had the admin username as admin so this was the main reason for the attack. Because the hacker knows the username is admin, they are half-way to getting the login details and can use a brute-force script to try many different passwords in combination with the username. If the username is something they don’t know, this type of attack is not really possible.
If you are using PHP hosting which most WordPress installations will do, you can use a .htpassword file and .htaccess to prevent anyone even loading your wp-login.php file unless they know the username and password to do so – this provides an extra layer of security as there is now two lots of username and passwords to access your WordPress admin area. This is fairly simple to setup, you will need to know the server path to your website which will be something like: home/website
First you need to generate a htpasswd, you can do that on this site. Enter a username, click “Generate Password” and then click “Generate htpassword content” and save the text from the right hand box as a file named .htpasswd ( with no extension ) and upload this to your hosting, outside the public_html directory.
Change “~/.htpasswd” to the location of your .htpasswd file and change “mysecretuser” to the username you chose when creating the htpasswd file.
LIMIT ACCESS TO YOUR ADMIN AREA BY IP ADDRESS
If you are the only person who needs access to your WordPress admin area and you have a static IP address, you can limit access to yourself only by adding a rule in an .htaccess file within your wp-admin directory. The code to use is :
# Block access to wp-admin. order deny,allow allow from x.x.x.x deny from all
Just change x.x.x.x for your actual IP address, which you can find out here.
There are a number of plugins you can use which will further enhance your login security, as follows.
from : http://wplift.com/prevent-bruteforce-login-attacks-wordpress
This Demo Content Brought to you by Momizat Team
this is tags and keywords : wordpress themes momizat Tutorial wordpress templates