How To Avoid Login Page Brute Force Attack

On December 23, 2013, in Other Online Technology, by James Liu

My website is getting extremely slow in this week, so I have spent several days to find out the problems and make some performance tuning in my Amazon EC2 server which hosts my WordPress website. My Amazon EC2 server’s CPU usage keeps reaching 100% but there is not too much traffics.

After checking my Apache log file, I have found lots of POST request to my wp-login.php page, which is the login page of wordpress. All the requests are direct request and look very suspicious. I guess my website is always down because of the continues login attempts, which cause CPU usage to 100%.

Avoid wp-login.php Login Page Being Called Directly

This malicious login attempt is called wp-login.php brute force attack. It will lead to our website becoming unavailable due to the large amount of processing power used to try every login attempt. Sometimes, the attackers will increase the attempt duration, for example 30s between each login attempt. In this way, he can silently try your username and password without any symptom.

There are several ways to avoid this attack. The idea is only allowing POST request from your host. Here I will show you two ways to protect your sites from brute force attack.

Ignore Directly Post Request to Login Page
The most easy way to solve this attack is changing wp-login.php. When we detect the incoming request is direct request with POST data, we ignore it. Add following code in the beginning of wp-login.php file:

/** for security reason, direct POST is not allowed **/
if (empty($_SERVER["HTTP_REFERER"]) && count($_POST)) {

Adding Access Rules in .htaccess File
We can add rewritecond rules to detect all incoming request. When we find the request is a POST request, and sending to wp-login.php file which is not sent from our own website, we make this request forbidden. Let’s see the source code:

RewriteCond %{HTTP_REFERER} !^http://(.*)?youwebsite\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

I think this kind of login brute force attack is very common. WordPress has a hundreds of thousands installation base. I don’t know how share host companies handle this problem, but in my Amazon EC2 host, it affect my website performance a lot.


Leave a Reply

Free WordPress Theme

Premium WordPress Themes