Prevent wordpress Brute Force Attacks

[romanepo]

How to i secure wordpress brute force attack. /usr/bin/php /home/.............../public_html/index.php

I installed modsecurity but use default rules ,it not working properly.
How can i secure this type of attack.

 

[cPanelPeter]

Hello,

A simple Google search will show lots of different links to information guarding against these attacks.

Brute Force Attacks « WordPress Codex
WordPress › brute force « Tags « WordPress Plugins
WordPress › BruteProtect « WordPress Plugins
Protecting Against WordPress Brute-Force Attacks | Sucuri Blog
WordPress Login protection from brute force attacks :: WP How

 

[rackaid]

If you mean brute force attacks against usernames, one of the easiest methods is to use HTTP Auth on the login and /admin areas.

This is good if you have just a few authors/users. We've seen many problems prevented by blocking this type of attack. Also, limiting direct access to include areas helps as well.



Brute Force Attacks « WordPress Codex

 

[romanepo]

Attacker attack all wordpress site.I want central solution, .htaccess script can single wordpress site solution.Are you know any modsecurity rules or anything prevent all wortpress site for Brute Force Attacks.

 

[ChrisFirth]

I use this rule with mod sec:

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:4900000
<Locationmatch "/wp-login.php">
        SecRule user:bf_block "@gt 0" "deny,status:401,log,severity:'2',id:4900001,msg:'Wordpress Brute Force: IP blocked for 5 minutes, more than 15 login attempts in 3 minutes'"
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
        SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</Locationmatch>

 

[quizknows]

That rule is very effective.

It can actually be condensed to one collection (initcol) instead of two, slightly more efficient resource wise:

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

 

[Ryu27]

I have used BruteProtect and it has worked very well for me.

 

[HSN-Saman]

Install mod_security as a WAF and get COMODO rules on it , and also password protect the wp-admin .
Try keeping the Wordpress update for the last security vulnerabilities .

 

[rhenderson]

We have installed a plugin called Login Security Solutions as well to help and even with the Mod Security rule above, but in the end your best defense is in the wp-admin folder .htaccess file, now if we could just get all the website owners on board.

#AuthName "Admins Only"

# ALLOW USER BY IP
<Limit GET POST>
 order deny,allow
 deny from all
 allow from 1.2.3.4
 allow from 5.6.7.8
</Limit>

# PREVENT VIEWING OF .HTACCESS
<Files .htaccess>
 order allow,deny
 deny from all
</Files>

Of course change the above IP's to your own You can use 1.2.3.4/19 or whatever is appropriate for your IP blocks, with so many people with IP's even if we allow the entire ISP block for a provider it is better than letting the whole world have access to wp-admin.