How to Prevent Brute Force Attacks on Your Wordpress Install

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed 'inelegant', they can be very successful when people use passwords like '123456' and usernames like 'admin.'

Brute Force Login attacks to wordpress sites are very common and there are ways to mitigate the problem. Please implement the plugins described below to help protect your website against these type of attacks. 

Step 1: Edit .htaccess File

The most common attack method is to post directly to the wp-login.php file. Entering the following code in your main .htaccess file will prevent this from being possible. Make sure you replace the in the code with your domain name. 

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

Step 2: Install SI CAPTCHA Anti-Spam Plugin

The SI Captcha Anti-Spam plugin installs a CAPTCHA code into your registration and login forms to prevent auto bot posts to your forms. You can download the plugin by clicking here
  1. Once installed, click on Plugins -> SI Captcha Options
  2. Check the box beside "Enable CAPTCHA on the login form" and click Update Options

Step 3: Install Wordfence Security Plugin

The Wordfene Security Plugin is a firewall for your wordpress install. It will block IP addresses when they try to break into your site or try to flood your site. It will also scan your site files to watch for malicious files or changes to the wordpress core files. 
  1. Once installed click on Wordfence in the side menu and choose Options
  2. Complete the Basic Options by entering your email address ti receive alerts and Choosing the "Use Php's Built in REMOTE_ADDR ..." for the "How does Wordfence Get Ips" question
  3. Click Save Changes
  4. Under Advanced Options, you can choose what notices are sent to you as you wish. We recommend setting the following Login Security Options:
    1. Lock out after how many login failures - 3
    2. Lock out after how many forgot password attempts - 3
    3. Count failures over what time period - 5 minutes
    4. Amount of time a user is locked out - 5 Days
    5. Immediately lock out invalid usernames - Checked
    6. Don't let WordPress reveal valid users in login errors - Checked
  5. Click Save Changes
For several more options and security enhancements please see the Wordpress site - Brute Force Attacks.
Was this answer helpful?

Related Articles

Why does Google say my site contains malware?

(WORK IN PROGRESS!)So you've gotten a few calls, emails, drop-in visits with some frantic current...

How do I move Wordpress from one location/domain to another?

Step 1:  Copy the entire contents of the old domain folder, which includes your entire WordPress...

Activating WordFence Extended Protection

WordFence Auto Sense Firewall (images to come!) An issue has been identified with a Wordpress...

How To Change Your WordPress Login URL

How To Change Your WordPress Login URL The short answer is to install, activate, and configure...

How to Allow Your IP Address Access to Wordpress - htaccess

If you would like to limit access to your Wordpress Login script to only specified IP Addresses,...