WordPress as we know is one of the most popular content management systems around. That’s why WordPress is generally a target for attacks. Recently we came across a very robust DDoS targeted to the login page of WordPress sites hosted on our network and also on other well known web hosting providers.
We take security and continuity of service very seriously and we’re very pro-active at everything we do. We’ve added a few new security rules in our already existing set of rules to protect against this type of new attack that we’ve seen. Since implementing this new rule, we’ve seen an increase in protection against these types of attacks.
While we’ve done what we can to ensure maximum security for your websites, there are a few more things that you can do to help yourself from these types of attacks:
#1. Make sure WordPress is Up to Date!
This is a no brainer. Update your WordPress installation. You’ll be surprised at how many installations are out of date. You’re automatically vulnerable when you aren’t using the latest code. Here’s a video on how to update your WordPress installation:
#2. Block Access to the WP-Login.php page
You can edit your existing .htaccess file and add the following lines:
<FilesMatch wp-login.php>
Deny from all
Allow from xxx.xxx.xxx.xxx
</FilesMatch>
You will replace the xxx.xxx.xxx.xxx with your WAN IP address. This can be found by typing in What’s my IP Address into Google. See the image below for an example:
Note: Some ISP’s have dynamic IP addresses, so you may not be able to log into the WP-Admin if your IP address changes. You will still be able to edit the .htaccess through your cPanel‘s file manager, FTP or SSH if it does. If you’re using an ISP that changes it’s IP often, then this may not be the right choice for you.
#3. Enable CloudFlare
CloudFlare announced that it has pushed out a rule set that is now filtering Brute Force Attacks on the WP-Login.php / WP-Admin page. CloudFlare is free and can be easily installed on your GreenGeeks hosting account. To enable CloudFlare on your GreenGeeks account take a look at 4 reasons why you should be using CloudFlare
Our VPS customers who use WordPress can be affected as well. Please contact our team and we’ll let you know how you can prevent this from occurring on your sites.
GreenGeeks offers some of the best WordPress hosting services in the industry with optimized servers specifically for WordPress. We’re also always evolving to make sure that our customers always experience the best web hosting period.
I like all of what I read except the suggestion in #2 to limit access from all IP addresses other than a specific IP… some people like myself have internet providers that change the IP address when we reset the Cable Modem. (non-static address or pseudo-static) So… if someone who doesn’t know better follows your instructions they may be later unable to log in to their wordpress! Otherwise this full of great suggestions.
Totally true. However it’s a suggestion nevertheless. We’ll make an update to the suggestion.
I had problems getting it to work correctly, I used this instead:
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
I had big problem with brut attacks to our web page. web provider block our page because we were 900% over procesor using limits. I used plugin Limit Login Attempts and it looks it works! I understand that it is good option also if I have dynamic IP addresses.
I was not able to get the apache directive to work. Instead I used:
Order Allow,Deny
Allow from xxx.xxx.xxx.xxx
When you use Allow,Deny and you match both the Allow and Deny the default is to Deny, which didn’t work.
Does anyone notice that when accessing your admin page on Chrome, the AuthName value doesn’t appear in the popup? It should say, “WordPress attack protection CAPTCHA. Enter username…” to give you a hint as to what this is about but instead just says to enter your username and password.
I would also like to alert users who decide to use Google Chrome Browser that even if you are able to correctly input the user/password which works in Microsoft Edge/IE11, you will still receive the following error “Unauthorized” when you try to login using WordPress attack protection CAPTCHA.
I would also like to submit that I’ve run into this problem using that method of protection. This is an error that needs to be corrected.
@Sunil: Thank you for mentioning the bug in Chrome. I wasted a lot of time trying to figure out where is the captcha username/password.
I used your second method…..Now my ip address is going to change in a few days …..no do i need to remove code from htaccess??????????
@Sunil Gupta. Yes, I am having the exact same problem. I was able to access the dashboard for our sites using Safari, but this is an issue for us as well.