How To Protect Your WordPress Site from Brute Force Attacks

Brute force attacks on WordPress websites are becoming very common these days. You may or may not have heard about these kinds of attacks, but if you have a WordPress website, you need to protect your site against them. Why? Because if you don’t, they could easily bring down your site. We’ll explain how and why below, and explain step-by-step instructions for protecting your site. We should know – it recently happened to us, and after putting these new security measures in place, we haven’t had any problems.

What is a Brute Force Attack?

A brute force attack is when a hacker is using a computer to automatically and repetitively request the WordPress login page for a site, trying hundreds if not thousands of various username & password combinations attempting to gain access to your site’s admin area. Since the default login page for all WordPress sites is /wp-login.php, and the default admin username is ‘admin’, the hackers have a login URL and a valid username; all they need is to figure out the password.

Hopefully you changed the default admin username from ‘admin’ to something else. That’s a good starting point. And make sure you have a strong password. If you have done both these things, your chances are good that your site will not be compromised. But the problem is that all these numerous requests to your site can easily bring down the server from too much traffic especially if you are on a shared hosting server (such as GoDaddy, Bluehost, Hostgator, etc).  The only way to prevent this is by denying access to your default login page.

Solutions that DON’T work

There are a lot of WordPress plugins out there that claim to protect against brute force attacks. They blacklist IPs and lockout too many attempts to the login page, etc.  These are all helpful and DO help in preventing hackers from accessing your admin area but most of these plugins DO NOT protect against multiple requests to your login page and thus bringing down your site due to too much traffic.  In order to completely solve the problem you have to remove the ability for public access to the default login page. Here are some other solutions you’ll find on the internet that don’t completely solve the problem:

  • Login Lockdown Plugins – lock down access due to too many failed attempts. Still doesn’t solve the multiple requests issue.
  • Forwarding to different login page – same problem. That’s fine if you want to make it /login instead of /wp-login.php but requests will just forward to the other one.
  • Two-Factor Authentication – This is done by password-protecting wp-admin or wp-login.php using your .htaccess file – but is a big nuisance for clients to have to login twice to get into the admin. It also will end up breaking your site (see details below)
  • Rely on hosting company to blacklist IPs – This works, but we’ve found also locks out valid requests, too. (ie: if the site is used by a lot of people at the same company (same IP), they are all going to get locked out)

Why Two-Factor Authentication will BREAK your site

Almost all the articles we found online that talk about protecting against brute force attacks usually end up saying the best way to solve the issue is to setup a password (using .htaccess) to force the user to enter a password to even gain access to the login page. Doing this certainly does protect your site against brute force attacks, but guess what – it also breaks your site. This is because there is functionality in WordPress that is built into the wp-login.php page that will not work if it’s not publicly accessible. Most importantly, this includes the “Forgot Password?” functionality!

The BEST way to protect your site

We have gone through all the various ways of protecting all our clients’ sites against brute force attacks. The best way we have settled on is creating a custom login page and preventing access to the old one.  This still allows everyone to login with no problems. They won’t have to login twice and this prevents hackers from making any kind of requests to the default login page. It’s very easy to do. As promised, here are the step-by-step instructions:

Step 1

In the root folder of your WordPress website, rename the file “wp-login.php” to “login.php”.

Step 2

Open the same file in a text editor. Replace “wp-login.php” anywhere you find it in the file with “login.php”.

Step 3

Edit the functions.php file in your theme folder, usually found at /wp-content/themes/active-theme/functions.php. (where “active-theme” is the name of your active theme.) If you don’t have one, you can create one. (make sure the file starts with

//register url fix
add_filter('register','fix_register_url');
function fix_register_url($link){
 return str_replace(site_url('wp-login.php?action=register', 'login'),site_url('login.php?action=register', 'login'),$link);
}
//login url fix
add_filter('login_url','fix_login_url');
function fix_login_url($link){
 return "/login.php";
}
//forgot password url fix
add_filter('lostpassword_url','fix_lostpass_url');
function fix_lostpass_url($link){
 return "/login.php?action=lostpassword";
}
//Site URL hack to overwrite register url
add_filter('site_url','fix_urls',10,3);
function fix_urls($url, $path, $orig_scheme){ 
  if ($orig_scheme !== 'login') return $url; 
  if ($path == 'wp-login.php?action=register') return site_url('register', 'login');
  return $url;
}

Step 4

That’s it!  Now just make sure you go to www.yoursite.com/login.php instead of /wp-login.php to login to your WordPress admin area.

Caveats / Other Notes

  • If you have any code in your theme or plugins that point to a login page, hopefully they are using the WordPress functions to retrieve these URLs, otherwise you’ll get an error when you click these links.
  • If you update WordPress it may put a new wp-login.php file in place in the root of your site, thus undo-ing all your hard work. You can simply remove it again OR (even better), setup a server-level password to lockdown the wp-login.php file by using two-factor authentication. (good instructions for this can be found here)
  • If a hacker ever figures out the URL to your new login page, they could start brute force attacking that one.  But it’s very unlikely. We still highly recommend having a login lockdown plugin installed (such as Simple Login Lockdown)

Comments?

We don’t claim to have the best solution – it’s simply the best solution that we are aware of.  See any mistakes in our code?  Have a better way to do it?  Please let us know! We’re always open to suggestions. Let us know in the comments below.

Need Help?

Are you at a loss?  Just can’t get it to work?  Too technical, or above your head?  We’d be happy to help. Contact us today!

New Ideas & Inspiration

×