How do I prevent bruteforce attacks against my Wordpress Website?


How do I prevent bruteforce attacks against my Wordpress Website?

A common attack vector on WordPress website is to continually access (bruteforce) the wp-login.php file over and over until the attackers get in or the server dies. You can follow the steps below to help protect yourself from this kind of attack.

Please note that the information in this guide is provided as a suggestion, and we can't provide detailed support for modifications to a Content Management System. If you require assistance with this, we'd recommend speaking to your website developer to ensure relevance and compatibility with your site.

Step 1 - Always use a strong password and do not make your password public. Things to avoid when choosing a password:
  • Any permutation of your own real name, username, company name, or the name of your website.
  • Any dictionary words, no matter the language.
  • A short password (less then 12 characters).
  • Any numeric-only or alphabetic-only password (a mixture of both is good, using special characters in addition is best).

Step 2 - You can use the enforce strong password plugin to force users to set strong passwords. It can be installed using the following steps:
  • Automatic installation:
    • Log in to your WordPress admin panel.
    • Navigate to the Plugins menu and click on Add New.
    • In the search field type "Woo Commerce enforce strong password" and click Search Plugins.
    • Click Install Now.
  • Manual installation:
    • The manual installation method involves downloading the plugin and uploading it to your web server via your favourite FTP application.
    • Download the plugin file to your computer and then unzip it.
    • Using an FTP program, or your hosting control panel, upload the unzipped plugin folder to your WordPress installation's "wp-content/plugins/" directory.
    • Activate the plugin from the Plugins menu within the WordPress admin.

Step 3 - Limit Access to wp-admin by IP
  • If you are the only person who needs to log into your Admin area and you have a static IP address, you can deny the wp-admin access to everyone except for yourself via the .htaccess file.
  • Create a file called .htaccess in a plain text editor and add the code shown below to it: this will block access to the wp-admin folder:

    order deny,allow
    allow from x.x.x.x
    deny from all
  • Replace x.x.x.x with your own public IP address which you can get using
  • Be aware that your public IP address may change if your ISP uses dynamic IP addresses. If this happens, you will need to access the .htaccess file and update the allowed IP before you can access your wp-admin page again.

Step 4 - Deny Access to No Referrer Requests
  • Whenever your readers comment, the wp-comments-post.php file is accessed from the page containing the post they commented on, and the post gets created. The user's browser will send a "referral" line about this.
  • When a spam-bot comes in, it hits the file directly and usually does not leave a referrer. This allows for some nifty detection and action directly from the server. If you are not familiar with the Apache directives, then write the following in your document root directory's .htaccess file:

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.** [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

  • Note 1: In the 4th line, replace with your own website name without the www or any prefix.
  • Note 2: There is a slim chance that someone's browser will not send the referral, but this is extremely rare.
  • This code will take the following steps:
    • Detect when a POST is being made.
    • Check to see if the post is on wp-comments-post.php.
    • Check if the referrer is in your domain or if no referrer.
    • Send the spam-bot BACK to its originating server's IP address.

Step 5 - Install the all in one WP Security plugin.

Step 6 - If the issue still persists, set up CloudFlare or Sucuri Cloud Proxy. These can also help mitigate the attacks by blocking the IPs before they reach your server. We are unfortunately not able to provide any assistance for the functionality of CloudFlare as it is a 3rd party application. We'd recommend speaking to your developer if unsure.

For more tutorials on website development and Wordpress troubleshooting, view our List of Wordpress Guides.

Did you find this article useful?  

Related Articles

© Crucial