{"id":1496,"date":"2014-03-25T09:36:29","date_gmt":"2014-03-25T09:36:29","guid":{"rendered":"http:\/\/www.milesweb.com\/hosting-faqs\/?p=1496"},"modified":"2022-04-26T16:38:12","modified_gmt":"2022-04-26T11:08:12","slug":"protect-wordpress-brute-force-dos-attacks","status":"publish","type":"post","link":"https:\/\/www.milesweb.in\/hosting-faqs\/protect-wordpress-brute-force-dos-attacks\/","title":{"rendered":"How To Protect WordPress Against Brute Force & DoS Attacks?"},"content":{"rendered":"

\"WordPress,<\/p>\n

Web hosting companies all around the world are experiencing a substantial increase in the number of WordPress brute force login attempts.<\/p>\n

Five important tips for blocking brute force attacks on WordPress are mentioned below:<\/b><\/em><\/p>\n

Why provide the bots with a username?<\/b><\/p>\n

Get rid of the \u2018admin\u2019 and \u2018administrator\u2019 user names from your WordPress installations.<\/p>\n

Plugins are your best friends!<\/b><\/p>\n

Use the following plugins for better security:<\/i><\/p>\n

Captcha : <\/b>No setup is required. This plugin is important for blocking the password guessing attempts.<\/p>\n

Better WP Security : <\/b>Some amount of setup is required. This plugin is essential for proactive security.<\/p>\n

Rename wp-login.php Plugin Or Lockdown WP-Admin : <\/b>Some setup procedure is required. It changes the login location and blocks the common login attempts. A better WP security provides with the same feature.<\/p>\n

Botnet Attack Blocker : <\/b>While transferring your wp-login.php is not an option anymore, this plugin keeps a check over the additional IP connections and blocks them in real-time.<\/p>\n

BruteProtect : <\/b>This plugin is an alternative to the Botnet Attack Blocker plugin. This plugin monitors the connections, saves the fake IP connections to the database of bad addresses and then blocks the respective IP addresses on your website. Although the WordPress hosting<\/a><\/strong> platform might also perform this task, it is important to have this plugin on board. This is a crowd sourced plugin, therefore if the IPs accessing your website are not present in the BruteProtect database; this plugin might not create an immediate effect in blocking the bad connections.<\/p>\n

Use Pass-Phrases Instead Of The Strong Passwords : <\/b>Plan on three or four words like websitedomain.password.thekeyphrase; this would need less memorization on your part and no bot will be able to figure out the 30 character password.<\/p>\n

Disable \u2018post\u2019 Access To wp-login.php : <\/b>In order to do this, you will have to add the following text to the top portion of your .htaccess file:<\/p>\n

<ifmodule mod_rewrite.c><\/p>\n

RewriteEngine on<\/p>\n

RewriteCond %{REQUEST_METHOD} POST<\/p>\n

RewriteCond %{HTTP_REFERER} !^http:\/\/(.*)?hackguard\\.com [NC]<\/p>\n

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\\.php(.*)$ [OR]<\/p>\n

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$<\/p>\n

RewriteRule ^(.*)$ – [F]<\/p>\n

<\/IfModule><\/p>\n

All you have to do is replace \u2018hackguard\u2019 with your domain name and save the file. Make sure that you leave the \u2018\\\u2019 in the right place before completing your \u2018.com\/net\/etc.\u2019 This text makes sure that no access is provided to the bots from posting against the default WordPress login script.<\/p>\n

If The Option Mentioned Above Does Not Work For You, Then Try This : Rename The wp-login.php File : <\/b>Rename the file to something like \u2013 wp-login456.php and then place a blank wp-login.php file in its place.<\/p>\n

Once that is done edit this – \/wp-includes\/general-template.php<\/p>\n

After that, replace all the wp-login.php text files with the new login file name. This modification prevents the bots from getting access of your login page; thereby reducing the MySQL loading of your server.<\/p>\n

Also check: How to Safeguard Your Website from Hacks and Attacks<\/a><\/strong><\/p>\n

Nothing Is Working For You? Then Try This\u2026<\/b><\/p>\n

If you are the sole administrator and the changes to your IP address do not occur frequently, then try restricting the access to your login page only for yourself. Add the following code to the .htaccess file:<\/p>\n

<IfModule mod_rewrite.c><\/p>\n

RewriteEngine on<\/p>\n

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\\.php(.*)$ [OR]<\/p>\n

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$<\/p>\n

RewriteCond %{REMOTE_ADDR} !^0\\.0\\.0\\.0$<\/p>\n

RewriteRule ^(.*)$ – [R=403,L]<\/p>\n

<\/IfModule><\/p>\n

Configuration Guidelines :<\/b><\/p>\n