Blocking Brute Force Attacks

2 hours is more than enough to make an automatic script stop. They would need CENTURIES to proceed at that speed.

I guess my point is, why bother letting me set it to 60 days if it doesn’t do it? I’m getting blasted by bots right now and I’d like to get a break from the emails I get every time one of them tries.

Hello There

I must give you my 2 cents

I feel your pain, i was also hit by a bunch of bots over the last 3 weeks super pain full, i have posted about it on bloglines.co.za i hope it helps killing all the bots.

As Side notes
I have 1500 permanent ip blocks in CSF this seems to help

Thank you Kindly
Mark

I’m not sure if you guys are aware, but there has actually be a recent large scale WordPress login brute force attack going on.

[ Copy deleted. Please stop spamming the forums with your links. ]

@jacobn Could you please stop posting repeatedly that link and copy to your site? That’s called spamming and it’s not permitted here.

For advice about the brute force attack refer to this link.

https://www.ads-software.com/support/topic/brute-force-attacks-and-wordpress?replies=2

Which has some really good and well vetted advice via this Codex article.

https://codex.www.ads-software.com/Brute_Force_Attacks

@jan my apologies, I wasn’t trying to spam, if you read through the link it’s just trying to provide help for people having these issues. I had built my guide off of the reference material I had seen floating around a lot of places regarding this recent attack.

Most of our customers were struggling following codexs and other technical guides, so just thought others might also benefit from the easy steps with screen shots and what not.

I’ll go ahead and stop linking to it, as most people right now are just coming to it from Google searches, but figured people directly searching here might benefit as well.

Sorry again.

– Jacob

Jacob, thanks I do appreciate your understanding and I know you had good intentions. ??

But please, don’t do that again. If you want to assist people here that would be great and you’d be helping lots of people. You can see there’s many people who need assistance for WordPress related issues.

@jan, no problem at all. I’ll keep it to just text help going forward ??

I’m very aware of the brute force attacks. Thank you for the reminder though @jacob. Those attacks are what’s prompted me to tighten up the tolerance of them. If someone tries to sign into one of my sites with an invalid username or resets the password more than twice I want them blocked for 2 months. For whatever reason it’s only happening for 2 hours despite me adjusting the settings.

I’ve tried to block entire countries with another plugin but that doesn’t’ seem to be working. I see it works for others but not me. Don’t know why. I think if I can block China, Russia, Romania, and Germany I’ll get very little attacks.

Hey @patrickhealy,

I had linked to an article I wrote on protecting against these type of attacks, but WordPress doesn’t want external sources posted here.

Basically I’d recommend not relying on WordPress login limit or security plugins for this type of attack. If you’re on a Linux web-host, you can just use some simple .htaccess rules to block everyone out of your admin but yourself.

The current brute force attacks that have been taking place, are not POST’ing to the wp-login.php script with a proper referer being passed. So if you require a proper referer to be passed, this can block those. Then you can lock it down even further with IP allow rules to only allow yourself in.

If your domain name was example.com, and your IP addresses that needed to access the WordPress admin were 123.123.123.123 and 123.123.123.124 I’d recommend using these rules:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^https://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.124$
RewriteRule ^(.*)$ - [F]
</IfModule>

An even further level of protection would be to employ a secondary .htaccess password, you would want to fully password protect the /wp-admin directory, and then in your .htaccess file in the WordPress root directory you’d also add that password protection to your wp-login.php script with these rules:

<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</FilesMatch>

Also using the .htaccess file you can Google for “country IP blocks” and then simply block entire countries that you don’t want to have access as well.

Once you start locking down and securing WordPress this way, I’d then recommend simply checking on your website’s access-logs every so often, if one IP has been continually hitting your wp-login.php script and getting 403 access denied errors from the .htaccess rules, you could then start to block them at your server’s firewall to prevent any further attempts from even making it to the site.

– Jacob

I called my host about this and they said to put that in place would do the job but it would severely slow down the performance of the site so I opted not to. Right now if someone tries to log in with an invalid user name they get blocked for a couple of hours. That will do the job for now but I get an email every time that happens from Wordfence (my option) so I can tell and the emails are just rolling in. It gives me anxiety. I’d rather just block the whole country since I’ll never do business with any of them.

@patrickhealy

1) Have you tried Cloudflare ?

2) The emails i have no fix on them

Thank you Kindly
Mark de Scande

@mark, ironically, I have that installed on one of my sites but for the life of me I can’t figure out a way to do the country blocking. That was actually my first choice but it isn’t clear as to how to do this.

@patrickhealy

Hello there

1) Log in To CloudFlare

2) Click on Dash Boards

3) Click on Threat control

4) Add custom rule bottom of the page

5) Type China and press Block

This about the easy way of doing it

I must say i use:

1) CloudFlare (Security High)
2) CSF (Security High)
3) Mod_Sec (Standard Rule Set out the box)
4) PHP suhosin (Standard Rule Set out the box)
5) cPHulk Brute Force Protection (Standard Rule Set out the box)
6) WordFence (Security High)

Over all the systems are in place but if i don’t keep all my plugins and stuff up to date it will all be in vain.

So as a note if there is a up date dont think just press that button ??

Thank you Kindly
Mark de Scande
Webmaster BlogLines.co.za

Wow, they’ve updated the settings. It was never this easy. Thanks for the heads up. I’ve blocked a bunch of the bad guys. Let’s see if this tones things down.