How To Protect Your WordPress Site from Brute Force Attacks

How To Protect Your WordPress Site from Brute Force Attacks

WordPress-Brute-Force-Attack_thumbBrute force attacks on WordPress websites are becoming very common these days. You may or may not have heard about these kinds of attacks, but if you have a WordPress website, you need to protect your site against them. Why? Because if you don’t, they could easily bring down your site. We’ll explain how and why below, and explain step-by-step instructions for protecting your site. We should know – it recently happened to us, and after putting these new security measures in place, we haven’t had any problems.

What is a Brute Force Attack?

A brute force attack is when a hacker is using a computer to automatically and repetitively request the WordPress login page for a site, trying hundreds if not thousands of various username & password combinations attempting to gain access to your site’s admin area. Since the default login page for all WordPress sites is /wp-login.php, and the default admin username is ‘admin’, the hackers have a login URL and a valid username; all they need is to figure out the password.

Hopefully you changed the default admin username from ‘admin’ to something else. That’s a good starting point. And make sure you have a strong password. If you have done both these things, your chances are good that your site will not be compromised. But the problem is that all these numerous requests to your site can easily bring down the server from too much traffic especially if you are on a shared hosting server (such as GoDaddy, Bluehost, Hostgator, etc).  The only way to prevent this is by denying access to your default login page.

Links to Read More

Solutions that DON’T work

There are a lot of WordPress plugins out there that claim to protect against brute force attacks. They blacklist IPs and lockout too many attempts to the login page, etc.  These are all helpful and DO help in preventing hackers from accessing your admin area but most of these plugins DO NOT protect against multiple requests to your login page and thus bringing down your site due to too much traffic.  In order to completely solve the problem you have to remove the ability for public access to the default login page. Here are some other solutions you’ll find on the internet that don’t completely solve the problem:

  • Login Lockdown Plugins – lock down access due to too many failed attempts. Still doesn’t solve the multiple requests issue.
  • Forwarding to different login page – same problem. That’s fine if you want to make it /login instead of /wp-login.php but requests will just forward to the other one.
  • Two-Factor Authentication – This is done by password-protecting wp-admin or wp-login.php using your .htaccess file – but is a big nuisance for clients to have to login twice to get into the admin. It also will end up breaking your site (see details below)
  • Rely on hosting company to blacklist IPs – This works, but we’ve found also locks out valid requests, too. (ie: if the site is used by a lot of people at the same company (same IP), they are all going to get locked out)

Why Two-Factor Authentication will BREAK your site

Almost all the articles we found online that talk about protecting against brute force attacks usually end up saying the best way to solve the issue is to setup a password (using .htaccess) to force the user to enter a password to even gain access to the login page. Doing this certainly does protect your site against brute force attacks, but guess what – it also breaks your site. This is because there is functionality in WordPress that is built into the wp-login.php page that will not work if it’s not publicly accessible. Most importantly, this includes the “Forgot Password?” functionality!

The BEST way to protect your site

We have gone through all the various ways of protecting all our clients’ sites against brute force attacks. The best way we have settled on is creating a custom login page and preventing access to the old one.  This still allows everyone to login with no problems. They won’t have to login twice and this prevents hackers from making any kind of requests to the default login page. It’s very easy to do. As promised, here are the step-by-step instructions:

Step 1

In the root folder of your WordPress website, rename the file “wp-login.php” to “login.php”.

Step 2

Open the same file in a text editor. Replace “wp-login.php” anywhere you find it in the file with “login.php”.

Step 3

Edit the functions.php file in your theme folder, usually found at /wp-content/themes/active-theme/functions.php. (where “active-theme” is the name of your active theme.) If you don’t have one, you can create one. (make sure the file starts with

//register url fix
add_filter('register','fix_register_url');
function fix_register_url($link){
 return str_replace(site_url('wp-login.php?action=register', 'login'),site_url('login.php?action=register', 'login'),$link);
}
//login url fix
add_filter('login_url','fix_login_url');
function fix_login_url($link){
 return "/login.php";
}
//forgot password url fix
add_filter('lostpassword_url','fix_lostpass_url');
function fix_lostpass_url($link){
 return "/login.php?action=lostpassword";
}
//Site URL hack to overwrite register url
add_filter('site_url','fix_urls',10,3);
function fix_urls($url, $path, $orig_scheme){ 
  if ($orig_scheme !== 'login') return $url; 
  if ($path == 'wp-login.php?action=register') return site_url('register', 'login');
  return $url;
}

Step 4

That’s it!  Now just make sure you go to www.yoursite.com/login.php instead of /wp-login.php to login to your WordPress admin area.

Caveats / Other Notes

  • If you have any code in your theme or plugins that point to a login page, hopefully they are using the WordPress functions to retrieve these URLs, otherwise you’ll get an error when you click these links.
  • If you update WordPress it may put a new wp-login.php file in place in the root of your site, thus undo-ing all your hard work. You can simply remove it again OR (even better), setup a server-level password to lockdown the wp-login.php file by using two-factor authentication. (good instructions for this can be found here)
  • If a hacker ever figures out the URL to your new login page, they could start brute force attacking that one.  But it’s very unlikely. We still highly recommend having a login lockdown plugin installed (such as Simple Login Lockdown)

Comments?

We don’t claim to have the best solution – it’s simply the best solution that we are aware of.  See any mistakes in our code?  Have a better way to do it?  Please let us know! We’re always open to suggestions. Let us know in the comments below.

Need Help?

Are you at a loss?  Just can’t get it to work?  Too technical, or above your head?  We’d be happy to help. Contact us today!

13 thoughts on “How To Protect Your WordPress Site from Brute Force Attacks

    1. I wasn’t able to log out until I added this to the functions.php file:

      //logout url fix
      add_filter(‘logout_url’,’fix_logout_url’);
      function fix_logout_url($link){
      return “/login.php”;
      }

    1. This was my thought too. But I would guess that spammers are hitting the login page directly rather than following a redirect. That is, until enough people change the login page and then they’ll change their tactics too!

  1. The code posted above won’t fix the log out function, to do that, I added this to functions.php:

    add_filter(‘logout_url’,’fix_logout_url’);
    function fix_logout_url($link){
    //replace wp-login with login in the logout URL
    $logout_url = str_replace(“wp-login”, “login”, $link);
    return $logout_url;
    }

  2. Hmm it seems like your site ate my first comment
    (it wass extremel long) so I guess I’ll just sum it up what I wrote and say, I’m thoroughly enjoying
    your blog. I as well am an aspiring blog blogger but I’m still new to everything.
    Do you have any recommendations for beginner blog writers?
    I’d certainly appreciate it.

  3. Hi there, the solution is quite good! I have one question will it work with wordpress multisite ?

  4. HI
    what about the wp-admin?
    any bot can access wp-admin and from there get to the sign-in page…
    witch usually contains a ling to the registration page…
    isn’t it smart to change the wp-admin as well?
    if so how would one do that?

    1. daniel, this post is pretty outdated and we need to update it or write a new one. In the meantime, we highly recommend simply using “iThemes Security” plugin for wordpress. It does all these things, including locking down the admin and using different admin & login URLs if you want to. plus a lot more. These days, it’s what we’re using for all our clients.

      https://wordpress.org/plugins/better-wp-security/

Comments are closed.

Let's Join Forces!

Have a project you would like to discuss? We’re ready when you are.

Get In Touch

×

Say Hi! We're Friendly

Have a project to discuss? Reach out. We’d love to talk.

  • This field is for validation purposes and should be left unchanged.

Inspiration & Ideas

Eight critical business questions about you

8 Critical Questions About Our Business and Yours

Below are 8 questions that were posted almost 10 years ago by Seth Godin, one of my favorite marketing authors. I had originally answered these questions back in early 2010 in a blog post and thought it would be interesting to do it again 10 years... Keep Reading: 8 Critical Questions About Our Business and Yours

eCommerce Website Launches

More E-commerce Websites Launched!

FirstTracks launches three new WordPress / WooCommerce e-commerce websites! It’s been a busy year here at FirstTracks Marketing! As we get ready to hunker down and kill it for our e-commerce clients this holiday season, I wanted to share some... Keep Reading: More E-commerce Websites Launched!

Our Certifications

Verified WooExpert
PartnerBadge
Bing Partner
FirstTracks Marketing is New England's First SharpSpring Gold Certified Partner
mailchimp
WP Engine Advanced Agency Partner
FirstTracks Marketing is a Call Rail Agency Partner