Jump to content


Photo

WordPress wp-login.php Brute Force Protection - Now Available

Wordpress Brute Force Protection

  • Please log in to reply
6 replies to this topic

#1 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,672 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 03 September 2014 - 11:21 AM

Hello!

 

WordPress suggests password protecting the wp-login.php file using htpasswd.  This is not a terribly difficult task but, with cPanel, is something that has to be done manually as cPanel does not have any way to protect just a single file and only folders.

 

The details of how to put this block in place can be seen on the Official WordPress Codex at http://codex.wordpre...ct_wp-login.php

 

We have written an internal script that can perform all of the steps necessary to protect your wp-login.php against brute force attacks.  We can execute this upon request on any account, however, we will also be replacing our wp-login.php block with this wp-login.php password protection moving forward.  This means that if your site comes under attack and is not already password protected that we will password protect it and notify you of the username and password so that you can still access your site normally while locking out bots/attacks.

 

Once the password protection is in place it is possible to add users and modify passwords from the cPanel interface and I will be creating a knowledgebase article showing how to do this step-by-step including pictures later today.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#2 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,672 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 03 September 2014 - 12:27 PM

The knowledgebase article about how to add users, modify existing users, and remove users from the password protection has been created and can be seen here: http://www.mddhostin...protection.html


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#3 Dehenderson

Dehenderson

    Newbie

  • Members
  • Pip
  • 24 posts
  • Gender:Male
  • Location:Arlington, VA

Posted 03 September 2014 - 02:16 PM

Does this action supersede using the plugin, rename-wp-login?  


  • 0

#4 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,672 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 03 September 2014 - 03:45 PM

It protects wp-login.php via password protection - it would take affect before anything else.

 

Just as you would protect a folder - this is protecting only this one file which is the target of the brute force attacks.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#5 cziv

cziv

    Newbie

  • Members
  • Pip
  • 21 posts
  • Gender:Male

Posted 05 September 2014 - 07:47 AM

This is a wrong approach, i don't want anyone to mess with my websites, especially with passwords etc etc.
 
Also many WP are public for registrations, or have Editor accounts.
 
There are PLENTY of modules that protect WP-Login and work great. Why not installing something like that and be safe.
 
I don't get it.
 
for example, this is one the great plugins.
 
http://www.thewhir.c...e-force-attacks
 
BruteProtect is a cloud-powered Brute Force attack prevention plugin and the best protection against botnet attacks.
 
https://wordpress.or...s/bruteprotect/
  • 0

#6 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,672 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 06 September 2014 - 12:26 AM

This is a wrong approach, i don't want anyone to mess with my websites, especially with passwords etc etc.

 

Also many WP are public for registrations, or have Editor accounts.

 

There are PLENTY of modules that protect WP-Login and work great. Why not installing something like that and be safe.

 

I don't get it.

We aren't just going around throwing it on sites willy nilly.

 

Here are some examples from customers we've contacted when we put this in place:

Of the last 7406 page views, 7383 have been to your wp-login.php.

Of the last 5642 page views, 3855 have been to your wp-login.php.

Of the last 4944 page views, 4730 have been to your wp-login.php.

Of the last 15325 page views, 15277 have been to your wp-login.php.

Of the last 30614 page views, 26851 have been to your wp-login.php.

 

Those are real values taken right from the last 5 tickets we opened with customers concerning their sites being under attack. We're talking about requests over minutes - not days, weeks, or months.

 

It's enough that if action isn't taken it will take your site offline.

 

There are two issues facing most brute-force plugins:

1. They tend to require multiple failed attempts from a single IP.  The problem? Most of these attacks are done from 100,000s of individual IPs.  Have 20,000 attempts to log into your wp-admin? You'll see 20,000 distinct IP addresses.

2. They all require a fair bit of CPU as far as PHP and MySQL that makes them work.  So yes - maybe they'll keep your login safe - but they'll potentially take your site down under the load of such a large attack.

 

Now distributed brute force protection is great - the only problem is that you also face the CPU and possible network load of such plugins.  Get hit by 100,000 bots in 5 minutes? You're probably still going to be offline even if they don't get into your WP-Admin.

 

Password protection [or] simply limiting access to wp-login.php by IP address are ultimately the best ways to fend off attacks if it is possible for your particular site - if they can't even post data to the file, they stand no chance of ever getting in.  There are, obviously, sites where this won't fit and if we end up putting this protection on such a site and the site holder lets us know we'll remove it no problem and will also make it so that it can't happen again but, that said, if they don't do something on their own to prevent it they're going to face further problems.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#7 Trader Joe

Trader Joe

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 25 May 2015 - 02:16 PM

Since I use rename wp-login.php wordpress plugin I don't have to worry anymore and feel that I my wordpress sites are better secured.


  • 0
Wanna work from home, on the internet?
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users