24 hr Australian Support

How do I prevent bruteforce attacks against my Wordpress Website?

A common attack vector on WordPress website is to continually access (hammer/bruteforce) the wp-login.php file over and over until the attackers get in or the server dies. You can follow the steps below to help protect yourself from the attack.

  1. Always use a strong password and do not make your password public. Things to avoid when choosing a password:
    • Any permutation of your own real name, username, company name, or the name of your website
    • Any dictionary words, no matter the language
    • A short password (less then 12 characters)
    • Any numeric-only or alphabetic-only password (a mixture of both is good, using special characters in addition is best)
  2. You can use the enforce strong password plugin to force users to set strong passwords. It can be installed using the following steps:
    • Automatic installation:
      • Log in to your WordPress admin panel
      • Navigate to the Plugins menu and click on Add New.
      • In the search field type "Woo Commerce enforce strong password" and click Search Plugins.
      • Click Install Now.
    • Manual installation:
      • The manual installation method involves downloading the plugin and uploading it to your web server via your favorite FTP application
      • Download the plugin file to your computer and then unzip it
      • Using an FTP program, or your hosting control panel, upload the unzipped plugin folder to your WordPress installation's wp-content/plugins/ directory
      • Activate the plugin from the Plugins menu within the WordPress admin
  3. Limit Access to wp-admin by IP
    • If you are the only person who needs to login to your Admin area and you have a static IP address, you can deny the wp-admin access to everyone except for yourself via the .htaccess file.
    • Create a file called .htaccess in a plain text editor and add the code shown below to it, this will block access to the wp-admin folder:

      order deny,allow
      allow from x.x.x.x
      deny from all
    • x.x.x.x is your own public IP address which you can get using http://whatismyip.com
    • Your public IP address may change if your ISP uses dynamic IP addresses
  4. Deny Access to No Referrer Requests
    • Whenever your readers comment, the wp-comments-post.php file is accessed from the page containing the post they commented on, and the post gets created. The user's browser will send a "referral" line about this.
    • When a spam-bot comes in, it hits the file directly and usually does not leave a referrer. This allows for some nifty detection and action directly from the server. If you are not familiar with the Apache directives, then write the following in your root directory .htaccess file:

      RewriteEngine On
      RewriteCond %{REQUEST_METHOD} POST
      RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
      RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
      RewriteCond %{HTTP_USER_AGENT} ^$
      RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
    • This will:
      • Detect when a POST is being made
      • Check to see if the post is on wp-comments-post.php
      • Check if the referrer is in your domain or if no referrer
      • Send the spam-bot BACK to its originating server's IP address.
      • NOTE 1: In the 4th line, change yourdomain.com to your domain.xxx without the www or any prefix for that matter.
      • NOTE 2: There is a slim chance that someone's browser will not send the referral, but this is extremely rare.
  5. Install the all in one WP Security plugin.
  6. If the issue still persists, setup CloudFlare and Sucuri Cloud Proxy can also help mitigate these attacks by blocking the IPs before they reach your server. You can easily enable CloudFlare for your website as explained below.

    1. Login to cPanel
    2. Click on the CloudFlare icon under the section "Software/Services"
    3. Click on the Grey "Cloud" button to enable CloudFlare
    4. Now, you could see that "Cloud" button has changed to Orange color from Grey
    5. Click the [Edit] button on the left side and now you can see more options to configure CloudFlare.