Built in Brute Force prevention

  • wp3zzz

    (@wordpress3zzz)


    11 years, 7 months ago

    I host several websites and really appreciate how awesome wordpress is. Lately I am noticing numerous brute force attempts to log in to these sites. I know there are plugins that can prevent this (one of them screwed up an MU install for me last week) but I wonder; why isn’t this built in? Limit users to 1 request per 5 or 10 seconds or so, that would probably be a big help!

    thank you

Viewing 4 replies - 16 through 19 (of 19 total)

  • The goal of my request isn’t to prevent the brute force attempts themselves (which of course would be nice) but to prevent servers from getting overloaded by them, and in that regard I believe it will alleviate what I’ve been seeing. I’m going to give that plugin a try.
    Thanks for the links and info!

    If you are trying to reduce load on your servers that plugin is going to make load worse during a brute force attack. The main problem is that the attacks come from multiple IP addresses usually around 10 or 12 per IP then they hit you from another IP. Limit login attempts locks out an IP after a set number of failed attempts but wont’t protect you from the next 10 tries from another IP.

    It also stores the IPs as a serialized array and everytime a failed request is made it requires a call to the database and PHP resources to unserialize the data then serialize and write back to the db.

    I think blocking No-Referrer requests via the web server either Apache or Nginx is the best way to prevent the attempts. The bots don’t normally get to wp-login.php via a redirect from /wp-admin, they usually hit wp-login.php directly with a POST request containing the username and password attempt. If you block direct access without a referrer it stops the attempts.

    You can also do this via PHP and WordPress but every attempt will still load the WordPress bootstrap.

    Ok the point of code changes like this isn’t to prevent the attack entirely, it’s to slow down the attack to give time for a server admin to respond to the problem before the site has been hacked.

    Just so everybody knows, most shared LAMP hosting won’t prevent non-intrusive brute force attack that is done slowly and in non-working hours.

    I believe adding a OPTION to wordpress to limit the number of log in attempts in a given time that is not turned on by default would be very useful. That option used in conjuction with the removing login error code I posted previously would completely prevent a brute force attack.

    Thread Starter wp3zzz

    (@wordpress3zzz)

    Thanks chaoix. It’s only because our servers were running slow and getting hit by the same ip addresses over and over that I had to look into this. Blocking the individual ip addresses got things under control on more than one occasion over the past few weeks.

    Cool. If you manage your own server running WHS/Cpanel, you can install a nice iptables/firewall add on to help you handle these types of situations as well.
    https://configserver.com/cp/csf.html

Viewing 4 replies - 16 through 19 (of 19 total)
  • The topic ‘Built in Brute Force prevention’ is closed to new replies.