One of the major problems that WordPress websites are facing these days are Brute force attacks and in case you haven’t encountered these bad boys yet then consider it you good fortune but the thing to ponder upon is that you might not get lucky all the time.
At times while dealing with client’s websites I have come across this problem of Brute force attack. Then it occurred to me that maybe I should share some information about it and also a plugin that has been written to prevent them.
You might be wondering what is Brute force attack after all.
When a hacker hits your WordPress login with a large number of login requests using various usernames & passwords is the phenomenon which is known as Brute force attack. In layman language you are being attack by a gigantic force of large no of login requests by some hacker in order to guess the combinations of username and passwords to able to access your website. This turns out to be one of the multitude of reasons as to why you should not use the name ‘admin’ for your admin user and create a strong password because I am sure you wouldn’t want your site to get compromised in lieu of a victorious Brute force attack.
Now another question that would come to your mind is “How am I ever going to know if my website is under attack”.
Quite simply it depends case to case but in general there is an unforeseen dip in the responsiveness of the website due to numerous login attempts and then upon checking your apache access log, you would find thousands of POST requests to your /wp-login.php script.
When you got to know that your website is under attack then come even bigger question “How exactly am I supposed to save my website from Brute force attack”.
Well, worry not since we have got solutions for you.
One of the most frequently used ways to prevent the hacker to use Brute force attack to gain access of your website is enabling a second layer of authentication over your wp-admin but the demerit of this method is that it can break some basic functionality of WordPress in particular the admin-ajax functionality. Albeit this is really good and in case you want to implement it then you can follow this article from secure.
In case you don’t want to break the functionality of your from end ajax then you can use the plugin that gives you three implementations to prevent these attacks. Plugin is named as WP login protector and it is available on GitHub for anyone to download.
Following is the overview of the methods it uses to save your websites from those attacks:
POST Cookie protection:
In this method a cookie is set initially after a GET request is made on the site i.e. when someone logs in and in case the Cookie is not present on the POST request the login is blocked. This method is effective in blocking humanoids or robots from being able to issue a POST request to WordPress’ login page successfully.
Block HTTP/1.0 POSTs:
This method involves blocking any login POST requests that is made with HTTP 1.0because in most cases robots use HTTP 1.0 and to our knowledge none of the modern browsers sends request via HTTP 1.0, hence this would stop them from trying to login.
Targeted Basic Authentication:
This is a very aggressive but successful approach for saving your websites from a flood of login requests by some humanoid. An extra layer of basic authentication is added to page of WordPress login. This method doesn’t break the functionality of nonpriv Ajax actions unlike while you reconfigure your webserver.
When you install this plugin, it will enable the first two methods but in case you want to enable the 3rd one then you have to check a box on WP Login protector settings page.
This might not be able to cover all possible cases or maybe the script of the hacker is unmodifiable to bypass the first two strategies that this plugin implements but it has completely blocked the Brute force attacks on the websites of my clients.