WordPress Brute-Force Attacks

A post on Twitter today alerted me to the fact that my WordPress application was probably under brute-force attack.  A growing series of links told me reasons why it was happening, methods for understanding the degree of the problem and what to do about it.  Some of the answers were good but the majority were downright silly or didn’t apply to my situation: a Blog hosted on my own server that I have full control over.  So here’s my attempt to answer the above questions:

Why is my Blog under Brute-Force attack?
It’s on the Internet, the login page is exposed and there is no limit on the number of login attempts.  Simple as that.  This is the Internet and anything that exposed is going to get probed.

How bad is it?
Running the following command against an Apache access log gives a pretty good idea on how much your login page is being accessed (Brute-Forced).
awk '/wp-login\.php/ {print $1}' access.log | sort | uniq -c| sort -n

How should I prevent it?
A strong password is one obvious solution.  Although this doesn’t prevent the server load of thousands of bots trying millions of passphrases, it’s better than getting your site hacked to hell and back.

In my scenario, I’m rarely going to access the login from anywhere but my own home so I can lock it down to only allowing access to the login program from that IP address/subnet.  If I happen to be somewhere else then I can SSH to the server and briefly change the config.  Below is the subsection I added to my Apache 2.2 config file:
<Files "wp-login.php">
Order Deny,Allow
Deny from all
Allow from
ErrorDocument 403 "Not acceptable"

Where is my IP address (no it’s not really mine).

Leave a comment