Stop brute force attacks on WordPress installations

Today I want to tell how to stop brute force attacks on WordPress installations, the reason is that we’re having a huge botnet, trying to gain access to WordPress installations. The size of the botnet is measured to be more than 100.000 unique IP’s and is probably already way bigger than in the beginning.

The problem exists in that a lot of different IP’s will try to guess the login credentials for WordPress installations, simply by using many different usernames and passwords that are often used. Due to the amount of time spend on this, it’s a big risk for your site, especially if you use a password that is easy to guess, or even use the username ‘admin’. Another problem, is the number of resources it takes on the server, is actually quite huge.

There’s a lot of security plugins existing, most of them don’t work with these attacks, because they only ban IP’s that tries multiple times within a short period of time. Other plugins like Better WP Security surely increases the security of your site, but it’s very resource extensive, a small example, was a client of ours, that was under attack, had 31 PHP processes running, each process took 64Megabyte of memory (So a total of 2Gigabyte), and the plugin didn’t make any difference, just pure waste of resources.

A good solution, to stop, or at least decrease the number of attacks on your site, is to use a thing as simple as HTTP Authentication, it’s quite easy to set up, but since we’re going to protect a single file, I will show the examples below:

First, we need to create a file, called .htpasswd – This file will be located outside our www or public_html folder to prevent people from gaining access to it.

So log into FTP, and go one directory up, so you can see the www or public_html folder.
Now, right-click and press ‘create new file’, and call it .htpasswd (Please make sure you have a dot in front of the name).

Use a site like this to generate a username and password in the right format, and put it into the file and save it.

Next, we need to go to the folder where we have our WordPress installation. And open the file called .htaccess – it’s default in every WordPress installation, and is located in the root of the website. In the top of bottom of this file, put the following code:

ErrorDocument 401 default
<FilesMatch wp-login.php>
    AuthType Basic
    AuthName "protected area"
    AuthUserFile /PATH/TO/.htpasswd
    Require valid-user

First what you need to do, is to put the username you created before into the USERNAME part above and put the real path to the .htpasswd file we created before (Please use absolute path if possible).

What the code above does, is first to set the ErrorDocument for 401 (Unauthorized) to the default one, after this, it will match the file wp-login.php and make HTTP Authentication on this file, this means when you try to log into wp-admin it will redirect you to wp-login.php, it will then pop up with an extra login form, where you need to type your password and username, press enter, and then you will get your normal WordPress login form, to log in.

The benefits with using HTTP Authentication, is first of all – it increases the security of your site, because you add an extra layer to accessing your backend login form, also the botnet used, will get rejected directly, from even accessing the WordPress login form, they will still try, but won’t really get far.

Another benefit is that this doesn’t take any resources on the server at all, this is very lightweight authentication in that sense, so your host won’t start complaining about too much CPU usage or memory usage, because your site is under attack.

If you need any help, please let me know.