Prevent Brute Force Attack

I already used Limit Login Attempts wordpress plugin. Are there other ways to prevent brute force attacks?

I’m worried because I saw a lot of locked out.

Solutions Collecting From Web of "Prevent Brute Force Attack"

Brute force attacks run with heavily automated scripts. These scripts focus on regular installations; most of them cannot handle changes to the normal login process (example).

You cannot stop requests to the login page, but you can change the way the login process works, so the script has to take your specific situation into account. Almost all scripts fail here.

An example:

On wpkrauts.com, I am running a custom plugin to log suspicious behavior. It has a built-in login tracker, and it can block IP addresses temporary or permanently.

screenshot login track

The plugin has still some UI issues, so I haven’t released it to the public. 🙂

On June 4, I installed another plugin that requires a clicked checkbox. The checkbox is inserted with JavaScript, and its name depends on the site:

    if ( defined( 'LOGGED_IN_SALT' ) )
        $salt = LOGGED_IN_SALT;
    else
        $salt = filemtime( __FILE__ );

    $this->unique = md5( $_SERVER[ 'HTTP_HOST' ] . $salt );

The first plugin hasn’t blocked a single IP since this day, because no script could parse the very simple JavaScript. The idea here is: Even if the attacking script guesses the password correctly it will never know.

Brute force attacks rely on standard installations. Change the standard, and the attack will probably fail.


A note about Limit Login Attempts: This plugin stores all logged IP addresses in a single option that has to be de/serialized. This list can be quite long after a while, including ten thousands of addresses. I wouldn’t use that.
A more efficient way is looking up just this one IP address from a separate table.


Related: Increase of failed login attempts, brute force attacks?

There is also Duo Two-Factor Authentication this requires you to connect to a third party service but seems to work well for my personal blog. I tried it with the WordPress BlackBerry App and couldn’t get it to connect. But it may be a good option.

What is your concern with the lockouts? Are there particular features you’re looking for? I like Limit Logins for its simplicity.

However, Limit Logins doesn’t have a way to unlock a specific IP which is a bummer. There are several similar plugins, but if you don’t mind the extra features (which are good for security anyway) I am pretty fond of WordFence (http://wordpress.org/plugins/wordfence/).

I particularly like it’s traffic-type throttling features which help bad bots behave when they want to crawl your site. And of course, it has brute force protection as well as many other security features built in. Quite comprehensive.

Have you tried it?

I had an attack recently and limiting login attempts and blocking countries temporarily was all I needed. I think if I had repeated attempts that got pretty annoying, I’d do something more drastic like changing the login process. I wouldn’t want to make it more complicated to login myself every time though.

I’ve heard about password protecting wp-login. Is that effective?

Here’s the experience I had with a brute force attack and how I used Wordfence and Cloudflare to manage it:
http://webeminence.com/brute-force-wordpress-login/

You should reallly prevent brute force attacks at the server/network level.

Since most people don’t have network access, some options:

1- If you don’t have server access or just want to use a 3rd party Cloudflare will stop some brute force attacks, especially from bots trolling the net en masse.

2- You can password protect the login page using Apache’s .htpasswd file.

    <Files wp-login.php>
    AuthUserFile ~/.htpasswd
    AuthName “Private access”
    AuthType Basic
    require user mysecretuser
    </Files>

You can read more about configuring it it here. You can also limit logins to 1 IP address using the .htaccess file.

3- You can configure your servers firewall to read directly from failed attempts and block IP’s with rules. This can be managed similar to limit login attempts but is much faster and has many more features. 3 options here that can be combined or used together (better).

  • IPTables
  • Fail2Ban
  • ModSecurity

There is a WP plugin that will write failed logins to Fail2Ban: http://wordpress.org/plugins/wp-fail2ban/

A post about how to setup Mod_Security for failed logins: http://blog.spiderlabs.com/2013/04/defending-wordpress-logins-from-brute-force-attacks.html

Also some brute force attacks should be handled by your host, you should ask them what measures they have in place and whatnot.