skip to Main Content
Menu

Two Tier protection against brute force logins

What is a Brute Force Attack?

A brute force attack is when a hacker is using a computer to automatically and repetitively request the WordPress login page for a site, trying hundreds if not thousands of various username & password combinations attempting to gain access to your site’s admin area. Since the default login page for all WordPress sites is /wp-login.php, and the default admin username is ‘admin’, the hackers have a login URL and a valid username; all they need is to figure out the password.

Hopefully you changed the default admin username from ‘admin’ to something else. That’s a good starting point. And make sure you have a strong password. If you have done both these things, your chances are good that your site will not be compromised. But the problem is that all these numerous requests to your site can easily bring down the server from too much traffic especially if you are on a shared hosting server (such as GoDaddy, Bluehost, Hostgator, etc). The only way to prevent this is by denying access to your default login page.

1) Add to theme function


if (!isset($_SERVER['HTTP_REFERER']) || $_SERVER['HTTP_REFERER'] == "") {
wp_die( __('Please enable referrers in your browser.') );
}
}

add_action(‘check_comment_flood’,’check_referrer’);

2) Rename wp-login.php to login.php and apply following addition to theme function

//register url fix
add_filter('register','fix_register_url');
function fix_register_url($link)
{
return str_replace(site_url('wp-login.php?action=register', 'login'),site_url('login.php?action=register', 'login'),$link);
}
//login url fix
add_filter('login_url','fix_login_url');
function fix_login_url($link)
{
return "/login.php";
}
//forgot password url fix
add_filter('lostpassword_url','fix_lostpass_url');
function fix_lostpass_url($link)
{
return "/login.php?action=lostpassword";
}
//Site URL hack to overwrite register url
add_filter('site_url','fix_urls',10,3);
function fix_urls($url, $path, $orig_scheme){
if ($orig_scheme !== 'login')
return $url;
if ($path == 'wp-login.php?action=register')
return site_url('register', 'login'); return $url;
}

– See more at: http://www.firsttracksmarketing.com/website-development/how-to-protect-your-wordpress-site-from-brute-force-attacks.html#sthash.Xm4Q0ddP.dpuf

Alphonse

Editorial Staff at ETN Multimedia is led by Alphonse Tan. Page maintained by Alphonse Tan

Back To Top