Brute force attack solution via .htpasswd?

  • Hi,

    I don’t have a problem with brute force attacks (yet), but as they say prevention is better then healing.

    So I set up a sort of extra security messure I found online which I think might help.

    I add lines to my .htaccess file and created a .htpasswd file for my password.
    This all executes when somebody is trying to access the wp-login.php file.

    This works great but I can’t seem to get an answer to the following.
    How long stays an HTTP authentication active?
    I tried logging out of WP but that doesn’t seems to matter.

    Any ideas?

Viewing 3 replies - 1 through 3 (of 3 total)

  • Are you saying that you are adding an Apache basic authentication on your login page (using htpasswd) so you have to get past that before you can log into WordPress? If so, once you’ve authenticated successfully via basic auth, then it stays active until you close your browser.

    Another option would be to use a Limit Login attemps plugin (there are several) or WP Better Security, which also limits the amount of times a user can attempt to login. However, there’s nothing wrong with putting basic authentication in front of your admin page.

    What you’ve done is actually one of the suggestions in the Codex page on brute force attacks (but there’s other good info there too):

    Codex: Brute Force Attacks

    Thread Starter mvanboordt

    (@mvanboordt)

    Hi,

    Thnx for your reply.
    Brute Forece Attacks are the only reason I’m doing this.
    I tried closing my browser and yes indeed this is the moment it ask’s me again to login.

    Is there a way to extend this to e.g. a week?

    I’ll take another look at the codex.

    Thnx so far!

    Along with Bulletproof Security for htaccess and failed login attempts, and with Wordfence Security as a firewall and to scan files, here are some things I have added at the BPS Custom Code editor and I no longer get great numbers of 404s or have to be overly-concerned about brute-force attempts:

    ## add at top of htaccess
## note: also go set wp-config.php permissions to 0400
# deny wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

## add within or after BEGIN/END WordPress
# send username enumeration to Home
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ /? [L,R=301]
</IfModule>
####

## add at end of htaccess
# send certain brute-force login attempts to 403
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
### note change yoursite.com in this next RewriteCond line
### and remove its preceding # to make it work
#RewriteCond %{HTTP_REFERER} !^https://(.*)?.yoursite.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

# prevent view of 403.shtml
<Files 403.shtml>
Order allow,deny
Deny from all
</Files>
####

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Brute force attack solution via .htpasswd?’ is closed to new replies.