WordPress – Brute force attacks stopped with the wps-hide-login plugin
One of my WordPress sites came under a determined brute force password attack. The amount of traffic brought down the other sites on my shared hosting. I added the IP Geoblock and WPS Hide Logins. I also tweaked the settings for Wordfence. The number of brute force attacks dropped dramatically.
Wordfence reported over 6000 attacks for the month but only 4 total attacks for the last week. In other words, the number of attacks dropped to a mere fraction of the initial volume.
When I became aware of the attacks, I took the following actions.
- Added IP Geoblock and only allowed the US and Canada to access the site. Wordfence has a Geo IP Block in their paid version but the sites are not bringing in enough revenue yet to justify the expense.
- Block IPs via Cpanel. As an alternative to blocking a whole country, you can block IPs for a range of addresses.
- Configured Wordfence to be a lot more aggressive with blocking.
- Wordfence has the ability to lock IPs out when they use certain IDs or after a certain number of failed logins. In other words, hackers will try an id of admin and some obvious passwords. The first trick is to not use admin as the id of the administrative user.
- Lower the threshold for failed attempts. Wordfence has a pretty tolerant initial setting. Lower that threshold to be more aggressive in blocking. Yes, that can lock out a clumsy legitimate user but it is a good trade-off.
- Block users who attempt to logon with certain IDs – Block anyone who tries to login as Admin, or sitenameadmin or sitename.
- Add a plugin such as WPS hide login. That will allow you to change the login url from /wp-admin to whatever you want. The reality is that if the hackers can’t see it, they can’t attack it. It’s like a Klingon cloaking device for your login page. (Too bad you can’t fire disrupters and photon torpedoes at the hackers.)
- This could be an issue if you have a lot of registered users. My sites don’t depend on registered users.
- Changing the login url will affect some plugins and some times when follow admin links in your site but I’ve found that to be a minor inconvenience.
Changing the URL of your login page will definitely cut brute force hacking attempts on your site. As you can see below from the Wordfence report, brute force attacks almost disappeared.
Update December 2019 – I remove IP Geo Block. I did a great job but other tweaks such as improvements in Wordfence have kept the foreign attackers at bay
- SOLVED – WPS Hide Admin not working after deploying HTTPS in WordPress
- Securing your WordPress site
- Things to do to stop a brute force attack on a WordPress Blog
- Capturing failed logins when using adauth
- Securing your Joomla admin login from brute force attacks.
- RDPGuard – Protect Windows Servers from Brute force RDP attacks.
- Did you forget your adminexile key (Joomla)
- How to block WordPress Comment Spam