Stop Bruteforce attacks / limit login attempts WITHOUT plugin

Why not with a plugin? The code is the same either way.

Hi!
You can find a plenty of advice on how to limit login attempts without using plugin in the Internet. But all of those advice is given by persons who don’t even know how WordPress authentication algorithm works exactly, including those nice guys from stackoverflow. But, anyway, you can do that, if you don’t worry about your site because there is no option to do it right way without PHP coding and having knowledge of WordPress.

@matty,

Frankly this is beyond the scope of WordPress probably. But you are right that relying on a plugin can be a weak option for blocking Bruteforce as it can put a lot of strain on your server resources (CPU/RAM) etc.

Besides DNS-level tools like Cloudflare (WAF/firewall) which help, you can also use rules on your server itself to secure your site:

https://www.littlebizzy.com/blog/nginx-server-block-ssl

For Nginx its pretty easy. You can rate limit wp-login.php to X page loads per second and anything beyond that gets a 444 Error (etc):

location = /wp-login.php {
        ## prevent brute force attacks (must enable in nginx.conf)
        limit_req zone=one burst=1 nodelay;
        ## re-include basic FCGI settings for PHP files
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        ## older nginx versions use: include fastcgi_params
        include fastcgi.conf;
    }

Make sure to enable rate-limiting in nginx.conf though:

## rate limit access to any given file (recommended for login pages... server block rule required)
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    limit_req_status 444;

Full nginx.conf example below:

https://www.littlebizzy.com/blog/nginx-configuration