Brute force attacks are a real problem for many WordPress websites. If you haven’t experienced one of these yet, count yourself lucky.
I was having issues on a client’s website last week and the problem turned out to be a brute force attack.
So, I thought I’d post some information on these brute force attacks and share a plugin I wrote to prevent them.
What is a brute force attack?
A brute force attack is when a hacker hits your WordPress login with a large number of login requests using different usernames & passwords. The point of the brute force attack from the hacker’s perspective is to try to guess a username & password combo to gain access to your website.
This is one of the many reasons why you should never use the name ‘admin’ for your admin user and make sure you create a strong password … because it’s one thing to be annoyed with a failed brute force attack and quite another for your site to be compromised by a successful brute force attack.
How do I know if I’m under attack?
Well it depends but what I’ve experienced has been a sudden drop in the responsiveness of a website (I’ve actually seen them become completely unresponsive due to the flood of login attempts — similar to a denial of service attack). Then when I check my apache access logs I see thousands of POST requests to my /wp-login.php script.
What can I do to prevent a brute force attack?
The most apparent way to prevent brute force attacks is to enable a second layer of authentication over your wp-admin … this is a great way to go but it can break some normal WordPress functionality (particularly the admin-ajax functionality that some plugins can rely on even on the front end of a website). This approach is solid (and should completely stop your brute force attacks) though and if you want to do this you can follow the steps in this excellent article from my buddies at Securi.
Because I didn’t want to break the functionality of my front end ajax, I opted to write a plugin that implements three ways to prevent these attacks. The plugin is named WP Login Protector and I put it up on GitHub for anyone to download (I’m sure I’ll get around to submitting it to the WP Repo soon) … here’s a rundown of the methods it uses to prevent these attacks:
- POST Cookie Protection — This will set a cookie when an initial, GET request is made on the site (which happens when a human logs in). If the Cookie is not present on the POST request then the login is blocked.This effectively blocks non-human robots from successfully issuing a POST request to WordPress’ login page.
- Block HTTP/1.0 POSTs — Block any login POST requests made with HTTP 1.0. Since it is common for bots to use HTTP 1.0 (and no modern browser that I know of sends HTTP 1.0 requests), this should effectively block them from attempting to login.
- Targeted Basic Authentication — This will add an extra layer of basic authentication to the WordPress login page. This is a more aggressive approach but should completely prevent any bots from even attempting a WordPress login.Unlike modifying your webserver configuration to add Basic Authentication, this approach will not break the functionality of nopriv ajax actions.
By default, when you install this plugin it will enable the first 2 methods listed above … but if you want the 3rd, all you’ll have to do is check a box on the WP Login Protector settings page.
I can’t guarantee that this will cover every scenario imaginable or that a hacker’s script couldn’t be modified to bypass the first 2 strategies this plugin employs … but I can say that it has completely blocked all brute force attacks on my client’s site since it was installed.