{"id":4431,"date":"2014-05-13T17:42:34","date_gmt":"2014-05-13T17:42:34","guid":{"rendered":"http:\/\/demo.momizat.net\/goodnews\/?p=1"},"modified":"2014-05-13T17:42:34","modified_gmt":"2014-05-13T17:42:34","slug":"prevent-bruteforce-login-attacks","status":"publish","type":"post","link":"https:\/\/bulandrashtrawadi.in\/?p=4431","title":{"rendered":"Prevent Bruteforce Login Attacks on Your WordPress"},"content":{"rendered":"

We recently suffered a brute force login attack on one of my servers which was causing some sites to be unreachable and the server load was sky-high. After installing a logging script on the server we found out that the problem was caused on one installation of WordPress \u2013 hackers were using a script to try and guess the password of the admin account. After identifying the problem we were able to prevent this from continuing but not after some downtime to various websites resulting in a loss of income for my company.<\/p>\n

In this post I\u2019m going to talk you through a few methods to prevent this so the same doesn\u2019t happen to you.<\/p>\n

CHANGE ADMIN USERNAME<\/h2>\n

This is mentioned all the time, but it really is an important step \u2013 don\u2019t use \u201cadmin\u201d as your admin username, pick something unique for each site. This was the cause of the problem with my site, I had the admin username as admin so this was the main reason for the attack. Because the hacker knows the username is admin, they are half-way to getting the login details and can use a brute-force script to try many different passwords in combination with the username. If the username is something they don\u2019t know, this type of attack is not really possible.<\/p>\n

USING .HTACCESS<\/h2>\n

If you are using PHP hosting which most WordPress installations will do, you can use a .htpassword file and .htaccess to prevent anyone even loading your wp-login.php file unless they know the username and password to do so \u2013 this provides an extra layer of security as there is now two lots of username and passwords to access your WordPress admin area. This is fairly simple to setup, you will need to know the server path to your website which will be something like: home\/website<\/p>\n

First you need to generate a htpasswd, you can do that on this site<\/a>. Enter a username, click \u201cGenerate Password\u201d and then click \u201cGenerate htpassword content\u201d and save the text from the right hand box as a file named .htpasswd ( with no extension ) and upload this to your hosting, outside the public_html directory.<\/p>\n

\"1\"<\/a><\/p>\n

Change \u201c~\/.htpasswd\u201d to the location of your .htpasswd file and change \u201cmysecretuser\u201d to the username you chose when creating the htpasswd file.<\/p>\n

LIMIT ACCESS TO YOUR ADMIN AREA BY IP ADDRESS<\/h2>\n

If you are the only person who needs access to your WordPress admin area and you have a static IP address, you can limit access to yourself only by adding a rule in an .htaccess file within your wp-admin directory. The code to use is :<\/p>\n

# Block access to wp-admin.\norder deny,allow\nallow from x.x.x.x\ndeny from all<\/pre>\n
Just change x.x.x.x for your actual IP address, which you can find out here<\/a>.<\/p>\n
RECOMMENDED PLUGINS<\/h2>\n
There are a number of plugins you can use which will further enhance your login security, as follows.<\/p>\n
from :\u00a0http:\/\/wplift.com\/prevent-bruteforce-login-attacks-wordpress<\/p>\n
<\/span>This Demo Content Brought to you by Momizat Team<\/a> <\/blockquote>\n
this is tags and keywords : wordpress themes momizat Tutorial wordpress \u00a0templates<\/p>\n","protected":false},"excerpt":{"rendered":"
We recently suffered a brute force login attack on one of my servers which was causing some sites to be unreachable and the server load was sky-high. After installing a logging script on the server we found out that the problem was caused on one installation of WordPress \u2013 hackers were using a script to […]<\/p>\n","protected":false},"author":1,"featured_media":30,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[75,78,79,80,83],"_links":{"self":[{"href":"https:\/\/bulandrashtrawadi.in\/index.php?rest_route=\/wp\/v2\/posts\/4431"}],"collection":[{"href":"https:\/\/bulandrashtrawadi.in\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bulandrashtrawadi.in\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bulandrashtrawadi.in\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bulandrashtrawadi.in\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4431"}],"version-history":[{"count":0,"href":"https:\/\/bulandrashtrawadi.in\/index.php?rest_route=\/wp\/v2\/posts\/4431\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bulandrashtrawadi.in\/index.php?rest_route=\/wp\/v2\/media\/30"}],"wp:attachment":[{"href":"https:\/\/bulandrashtrawadi.in\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4431"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bulandrashtrawadi.in\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4431"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bulandrashtrawadi.in\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4431"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}