WordPress brute-force attacks are a nuisance. Not only that, they are potentially dangerous, especially if one of your users is using a not-so-great password. The amount of damage that can be caused by a cracked WordPress admin password is a bit scary. Even if the scripts don’t guess a password these attacks can get quite heavy, spanning thousands of IPs, and causing a mass of server load that bogs down your website, all of those login attempts require PHP to execute and your database to be queried.
In the past we have done several things to circumvent these attempts. We have installed security plugins like Limit Login Attempts and BruteProtect, both great plugins in their own respects. I especially like BruteProtects crowd-source based IP reputation blocking, which is great for distributed brute-force attacks. The only problem is that if the botnet switches to another subnet of IPs that haven’t been blacklisted yet they have free reign.
This leads to manually blocking access to wp-login.php with .htaccess rules, effective but not efficient. And if you do a deny from all, during a nasty distributed attack and forget to turn that off you end up getting a confused phone-call from a client wondering why they cannot log into their site. Even white-listing certain IPs doesn’t work especially if you need to access the site admin from a different location than your home or office.
That is why we developed and released Project Force Field. We wanted a way to protect WordPress sites and also reduce server load caused by larger attacks. We noticed that the majority of scripted attacks target wp-login.php directly sending 1000’s of POST requests to the server. So blocking access to wp-login.php directly and rewriting the name of the file when WordPress accesses it through wp-admin eliminates that attack vector. If someone attacking the site is able to determine the new ‘location’ of the login page, the plugin will detect if it is being brute-force attacked and change the name of the file again, making it fairly difficult for an attacker to launch a scripted attack against the site.
Here is the result of some early testing we did of the plugin blocking an attempted brute-force attack.
If you are hosted with us and part of our ManageWP program you most likely already have this plugin installed on your site, if not you can grab a copy of Project Force Field here. If you are running your website on an Apache server this plugin will not only protect your WordPress login, but also reduce server load. Definitely worth adding to your arsenal!