Brute force attacks

Bots mostly, they’re a part of online life, like comment and email spam.

Bots will go around, hitting most login forms directly, trying popular username and password combinations, hoping to get in.

As long as you have a great password, you don’t have to worry about them getting in.

There are plugins to stop this, but I don’t recommend any of them, as that still puts load on your server. They generally won’t get in past these plugins, but the plugins still need to do the work of identifying and processing the hit.

Instead, add this to your .htaccess access file:

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*(example.com|jetpack.wordpress.com).* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) https://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

Replace example.com with your site, and if you aren’t using Jetpack Comments, remove “|jetpack.wordpress.com”.

This will not only block direct hits to your login and comment forms (which normal humans don’t do), it will also redirect them back to their “home” for an extra ounce of revenge. ??

Via https://halfelf.org/2013/wp-login-protection-htaccess/

There is a plugin that is excellent:

Limit Login Atempts

I suggest plugin over direct editing any of the files.

I suggest plugin over direct editing any of the files.

Generally, I’d say the same, but not in the case of BruteForce protection. As mentioned above, “There are plugins to stop this, but I don’t recommend any of them, as that still puts load on your server. They generally won’t get in past these plugins, but the plugins still need to do the work of identifying and processing the hit.”

Just to clarify, the .htaccess bit above will protect wp-login.php from direct hits, which is how most brute force attacks are carried out. It blocks them at the server level, rather than allowing them to reach a plugin, which will need to run via PHP, process the hit, and then query the MySQL database for any matches to existing blocks.

Essentially, it’s the difference between a door that is already closed to certain traffic (the .htaccess rule), and a door that is always open with a single security guard who needs to check each person as they enter (the plugin).

yea im more inclined to add the htaccess code instead of a plugin. i dont want to rely on plugins if i can avoid it. already got too many running on the site. thanks for the heads up all!

You’re welcome!

i think its working. havent had an attack for 10 hours now…. crossing fingers! Im not good with code. I just copied and pasted the stuff into the htaccess and changed it to my url. There was some other piece of code in there that looked like this one. I hope i did it right.

If it’s working, and you have no trouble access your site in a variety of browsers, I’d say you did the right thing. ??

so on a similar note, any ways to stop trackback comments? im getting around 10 a day that i have to manually monitor and mark as spam

I’m not sure personally, Akismet should be catching most if you’re using that.

A while back, I switched off Trackbacks and Pingbacks and have been blissfully Trackback and Pingback spam free, since it had been years since I received a legitimate Trackback or Pingback anyway. ??

You can set the default to turn those off for future posts/pages by unchecking “Allow link notifications from other blogs (pingbacks and trackbacks)” at Settings -> Discussion in your blog’s Dashboard.

For existing posts/pages, you’ll need to edit them and uncheck “Allow trackbacks and pingbacks on this page” in the Discussion box below the editor. If you don’t see the Discussion box below the editor, click the Screen Options tab near the top-right and check “Discussion.”

If you have a ton of posts, https://www.ads-software.com/plugins/wp-disable-comments/ and https://www.ads-software.com/plugins/simple-trackback-disabler/ look promising, but backup first: https://codex.www.ads-software.com/WordPress_Backups

I should of asked this earlier on…do you have akismet?

already got too many running on the site

No such thing as too many plugins. It’s the quality of each plugin.

I have a site that the client has every possible social media account you can think of. that’s about 30 (twitter, facebook, instagram, vine, last.fm and so forth), they all show up on client’s website sidebar.

Look at this link: https://www.ads-software.com/plugins/super-simple-anti-spam/ that deals with trackback spam.

Doesn’t Akismet deal with trackback spam too?

I am testing Antispam Bee “Easy and extremely productive spam-fighting plugin with many sophisticated solutions. Includes protection again trackback spam.”

Not endorsing or not endorsing any of the above plugins.

oh shoot, i should have checked that first. when i remade my site, i forgot to redownload akismet. im a dummy haha.

looks like login attacks are back. after adding that htaccess code it stopped for awhile but i seem them back on my activity monitor now. any ideas? thanks!

Bit of an old thread, but have you checked your .htaccess again? You might lose your settings if you visit Admin > Settings > Permalinks (URL Structure). It refreshes the .htaccess to my knowledge.