WordPress Brute Force

WordPress is one of the largest content management systems around and is often a target to a plethora of attacks. Recently WordPress brute force attacks have become more and more common. These brute force attacks are using a large amount of automated attempts to guess your username/password. Although there is no one method to prevent these attacks, there are things you can do to protect your website.

-Be sure to have a strong password with at least eight characters in total, upper and lower case characters, numbers, and special characters.
-Change your default WordPress admin username
-Ensure WordPress installation is up to date
-Secure WordPress dashboard
-Setup security plugin(iThemes Security)

These steps should help prevent brute force attacks and keep your site secure. It is important to ensure the security of your website and availability when you have a web presence and taking these small steps will increase that ability to do so. Also for apache servers you can secure your dashboard manually using your .htaccess file. Please replace with your IP address(fetchip.com) if you wish to block access to your dashboard by IP address. As for the referrer method, which is non-intrusive and only prevents bots, you can just change the domain(example.com) with your own. Be sure to keep the back slash before the period.

Block access to dashboard by IP:
<Files wp-login.php>
order deny,allow
Deny from all
allow from

Block WordPress logins without referrer:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ – [F]

iThemes Security Plugin:

Harden WordPress: