Securing WordPress from Brute Force Attacks (.htaccess method)

Massive brute force attacks against WordPress installations across virtually every web host in existence were reported in April 2013. According to media reports, a large botnet with more than 90,000 servers attempted to log in by cycling different usernames and passwords against the WordPress access points: /wp-login.php and /wp-admin. My websites and those of my customers are among those affected.

Today, it happened again against my server. While working on a couple of my sites this morning, performance suddenly dropped. After a few minutes, I was able to login to my Cpanel and saw the following site statistics:

I immediately contacted my host to find out why I was seeing nearly 100% CPU utilization and 100 Entry Processes. Within minutes I watched the CPU utilization drop to 20% and Entry Processes drop to zero. They emailed back and said my site was again the victim of a brute force attack and they added some code to my .htaccess file to prevent access to wp-login.php. In their email, they said,

To help keep these attackers out and to reduce the site's usage we blocked all access to the "wp-login.php" script through this code we added to your site's ".htaccess" file:

RewriteEngine On RewriteCond %{REQUEST_URI} ^/wp-login.php$ [NC] RewriteRule ^.*$ - [F,L]

1 2 3

RewriteEngine On RewriteCond %{REQUEST_URI} ^/wp-login.php$ [NC] RewriteRule ^.*$ - [F,L]

To allow yourself access to WordPress you can change that ".htaccess" rule to the following:

RewriteEngine On RewriteCond %{REMOTE_ADDR} !^135.135.135.246$ RewriteCond %{REQUEST_URI} ^/wp-login.php$ [NC] RewriteRule ^.*$ - [F,L]

1 2 3 4

RewriteEngine On RewriteCond %{REMOTE_ADDR} !^135.135.135.246$ RewriteCond %{REQUEST_URI} ^/wp-login.php$ [NC] RewriteRule ^.*$ - [F,L]

This is all well and good if I were the only user on my site. But I run a multisite instance of WordPress and have hundreds of users accessing protected content. They need to be able to use wp-login to access their materials. So here's a better way of securing WordPress against brute force attack-bots by denying access to no referrer requests by modifying your site's .htaccess file. This fix works against attack-bots only which are from where the majority of brute force attacks originate. This fix will not work against someone who accesses the pages from their browser and deliberately tries to hack your site.

When your readers leave a comment or login to your site, the wp-comments-post.php or wp-login.php file is accessed. These files do their thing, create the post or log a user into the system. When this happens, the user's browser sends a "referral" line about this. The referral line references your website and the files that were accessed.

When a spam-bot arrives, it hits these files directly and doesn't usually leave a referrer. As a result, you can direct the Apache server to detect this no referrer condition and reroute the spam-bot into cyberspace. By adding the code below to your .htacess file, you will accomplish four things:

1. Detect when a POST is being made
2. Check to see if the post is on wp-comments-post.php or wp-login.php
3. Check if the referrer is in your domain or if no referrer
4. Send the spam-bot BACK to its originating server's IP address.

The above code is for a single site installation. Change example.com to the name of your domain. If you run a multisite installation with mapped domains as I do, then you would use the following code: