A brute force attack is to try different usernames and passwords repeatedly until they have access, they target the weakest link in any website’s security. As it repeatedly attacks the website, causing a decrease the performance. A large volume of HTTP requests is received. As a result, the server runs out of memory. Brute Force attacks wp-login.php files repeatedly. The attacker stops when it succeeds, or the server crashes.
Protect wp-login.php File
By default, WordPress provides the username ‘admin’. This by default setting might be helpful for brute force attackers. You can protect the wp-login.php file by blocking people from accessing a file. You may quickly and easily alter the usernames of your WordPress users by using the Change Username plugin.
Listing down the list of plugins that will help to protect the wp-login.php file
- Admin Menu Editor
- WPS Hide Login
- WP Custom Admin Interface
- Change wp-admin login
- Loginizer
- Hide login page, Hide wp-admin – stop the attack on the login page
- Custom Dashboard & Login Page – AGCA
And many more
Limiting Login Attempts
limiting the number of login attempts done on the website by using a different plugin
- Limit Login Attempts Reloaded
- SiteGuard WP Plugin
- Protection Against DDoS
- IP Geo Block
- HTTP Auth
And many more
Good Password
A strong password should be used. Try a different plugin for passwords. Password-protecting your wp-login.php file (and wp-admin folder) can add an extra layer to your server. All passwords must be encoded by function crypt(3). You can use an online htpasswd generator to encrypt your password.
Listing down some plugins for password
- Password Protected
- Passster – Password Protection
- PPWP – WordPress Password Protect Page Plugin
- Password Policy Manager | Password Manager
And many more
Protect Your Server
Sealing off the wp-login.php or wp-admin, 404 or 401 errors occur. It becomes necessary to add ErrorDocument 401 default in the .htaccess file.
On IIS web servers use the httpErrors element in your web.config, set errorMode=”custom”:
<httpErrors errorMode="Custom">
<error statusCode="401"
subStatusCode="2"
prefixLanguageFilePath=""
path="401.htm"
responseMode="File" />
</httpErrors>
IP Whitelist
you can fix the IP address, or deny wp-login.php making wp-admin/ folder access to everyone. the fixed IP address access via an .htaccess or web.config file. This scenario is called an IP whitelist.
Create a file in a plain text editor called .htaccess and add:
# Block access to wp-login.php.
<Files wp-login.php>
order deny,allow
allow from 203.0.113.15
deny from all
</Files>
Blocklists
Most brute force attacks are from hosts from Russia, Kazakhstan, and Ukraine. You can block ip-addresses that originate these attacks from these countries. There are block lists available on the internet that you can download.