Brute Force Protection for Wordpress Blog


Recently, brute force attack is occurring on WordPress installations around the world.
It is a well coordinated attack and it's currently hitting a large number of installs.

They are trying to gain access to WordPress logins by using easily guessable passwords.
If you password protected your WordPress using something from a dictionary such as
"p4ssw0rd" or "abc123" then your blog can be vulnerable. Once they gain accesss, they
upload malicious files to the directory which enables them to spam or collect personal information.

The symptoms of this attack are sluggish access to your WordPress site, or an inability to log in.
In some instances your site could even intermittently go down for short periods.

To mitigate this attack, you are advised to set a stronger password and add another
layer of protection by password protecting your wp-login.php

Here's the method on how to add the additional protection layer to your Wordpress blog:

 

Step 1: Create the Password File

Create a file named .wpadmin and place it in your home directory, where visitors can't access it.

cPanel home directory: /home/username/ (where "username" is the cPanel username for the account. - See more at: http://blog.canadianwebhosting.com/wordpress-brute-force-attack/#sthash.mooKYnQx.dpuf

EXAMPLE: /home/username/.wpadmin

cPanel/DirectAdmin home directory: /home/username/ (where 'username' is the cpanel/directadmin username of your account).
WebsitePanel home directory: /home/domain/ (where 'domain' is the domain name associated with your hosting account).

Open a new web browser and type http://www.htaccesstools.com/htpasswd-generator/ and enter your username and password.

http://www.htaccesstools.com/htpasswd-generator/ #sthash.mooKYnQx.dpufPut the username and encrypted password inside the .wpadmin file, using the format username:encryptedpassword

For example, my output is
apple:$apr1$gaulVKEm$smsg6EJU6LijtwycYsPry0

Save the .wpadmin file and upload it using FTP client or File Manager into /home/username.

 

Step 2: Update the .htaccess File

Under your publicly accessible directory, the last step is to place the following code in the /home/username/.htaccess file:

ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user
</FilesMatch>
 
Note: replace "username" above with your cPanel username.
 
Open a new browser and type http://www.htaccesstools.com/htpasswd-generator/ and enter your username and password. - See more at: http://blog.canadianwebhosting.com/wordpress-brute-force-attack/#sthash.mooKYnQx.dpuf
Open a new browser and type http://www.htaccesstools.com/htpasswd-generator/ and enter your username and password. - See more at: http://blog.canadianwebhosting.com/wordpress-brute-force-attack/#sthash.mooKYnQx.dpuf
Plesk home directory: /var/www/vhosts or /var/www/vhosts/domain - See more at: http://blog.canadianwebhosting.com/wordpress-brute-force-attack/#sthash.mooKYnQx.dpuf
cPanel home directory: /home/username/ (where "username" is the cPanel username for the account. - See more at: http://blog.canadianwebhosting.com/wordpress-brute-force-attack/#sthash.mooKYnQx.dpuf
cPanel home directory: /home/username/ (where "username" is the cPanel username for the account. - See more at: http://blog.canadianwebhosting.com/wordpress-brute-force-attack/#sthash.mooKYnQx.dpuf
cPanel home directory: /home/username/ (where "username" is the cPanel username for the account. - See more at: http://blog.canadianwebhosting.com/wordpress-brute-force-attack/#sthash.mooKYnQx.dpuf

In the past week, a global distributed, brute force attack is occurring on WordPress installations around the world.
It is a well coordinated attack and it's currently hitting a large number of installs. They are trying to gain access to WordPress logins by using easily guessable passwords.
If you password protected your WordPress using something from a dictionary such as "password" or "123456" then your installation can be vulnerable. Once they gain accesss, they upload malicious files to the directory which enables them to spam or collect personal information.

We recommend logging into your admin panel and change the password to a stronger one as recommended by WordPress.

To mitigate this attack, we are putting extra security measures that will automatically ban the ip address for several 5 minutes after several failed login attemps.

The symptoms of this attack are sluggish access to your WordPress site, or an inability to log in. In some instances your site could even intermittently go down for short periods.

You can add another layer of protection by password protecting your wp-login.php file. That means the hackers will need to guess through two layers of authentication. To see this in action, check our admin login page by going to http://blog.canadianwebhosting.com/wp-login.php. There is now a popup prompt and if they pass the first layer, then they will need to guess the second one with thewp-login.php page.

To add this additional security, do the following:

- See more at: http://blog.canadianwebhosting.com/wordpress-brute-force-attack/#sthash.mooKYnQx.dpuf

In the past week, a global distributed, brute force attack is occurring on WordPress installations around the world.
It is a well coordinated attack and it's currently hitting a large number of installs. They are trying to gain access to WordPress logins by using easily guessable passwords.
If you password protected your WordPress using something from a dictionary such as "password" or "123456" then your installation can be vulnerable. Once they gain accesss, they upload malicious files to the directory which enables them to spam or collect personal information.

We recommend logging into your admin panel and change the password to a stronger one as recommended by WordPress.

To mitigate this attack, we are putting extra security measures that will automatically ban the ip address for several 5 minutes after several failed login attemps.

The symptoms of this attack are sluggish access to your WordPress site, or an inability to log in. In some instances your site could even intermittently go down for short periods.

You can add another layer of protection by password protecting your wp-login.php file. That means the hackers will need to guess through two layers of authentication. To see this in action, check our admin login page by going to http://blog.canadianwebhosting.com/wp-login.php. There is now a popup prompt and if they pass the first layer, then they will need to guess the second one with thewp-login.php page.

To add this additional security, do the following:

- See more at: http://blog.canadianwebhosting.com/wordpress-brute-force-attack/#sthash.mooKYnQx.dpuf