Preventing brute force WordPress login attacks


wordpress-logo-notext-rgbOver the last month or two we have seen an increase in WordPress brute force login attacks.

The symptom is typically higher CPU usage on your server (often resulting in slower page load times). It can be particularly painful on servers running php through fast CGI (like Plesk server setups).

For a good summary of the issue see: http://codex.wordpress.org/Brute_Force_Attacks

If you have good, strong passwords set then this will likely not be a security threat to you.  But the CPU usage on those login attempts can be very high and result in lower performance.

You can check if you are affected by taking a peek at your apache logs. e.g. looks for lots of these kinds or requests:

 176.34.106.158 - - [31/Mar/2014:22:47:13 +0000] "POST /wp-login.php HTTP/1.0" 200 3536 "-" "-"
 176.34.106.158 - - [31/Mar/2014:22:47:13 +0000] "POST /wp-login.php HTTP/1.0" 200 3536 "-" "-"
 176.34.106.158 - - [31/Mar/2014:22:47:13 +0000] "POST /wp-login.php HTTP/1.0" 200 3536 "-" "-"

One of the best ways to thwart the attack is to require a Basic Auth authentication before accessing that login page.  Basic Auth protection will kick in and disrupt most simple attack scripts.  And require very little CPU to block the user.  Even if you are not affected by a brute force attack right at this moment, it may be prudent to implement Basic Auth protection now as a precautionary step.

If you are running Plesk create a basic auth login of, say, admin/password.  Add an entry of:

admin:$apr1$0YVef3S.$L/hkQlbmx/yDfvI7uQzcs/

to /var/www/vhosts/$yourdomain/.htpasswd

To create a different username and password you can use http://www.htaccesstools.com/htpasswd-generator/

Then edit /var/www/vhosts/$yourdomain/httpdocs/.htaccess and add:

 <FilesMatch "wp-login.php">
 AuthName "Authorized Only"
 AuthType Basic
 AuthUserFile /var/www/vhosts/$yourdomain/.htpasswd
 require valid-user
 </FilesMatch>