- Details
- Created on Tuesday, 08 April 2014 19:23 08 April 2014
Dear Customers,
Over the past few weeks, our system administrators have detected an unusually high amount of traffic towards WordPress login pages such as http://www.yoursite.com/wp-admin.
They have analyzed the traffic and have found out that it’s all due to a massive global brute-force attack against WordPress sites.
Unlike hacks that focus on vulnerabilities in software, brute-force attacks are aimed at gaining access to a site in the simplest possible way – by trying random usernames and passwords multiple times in a row, until the site is broken into. This makes passwords like ’123456′ and usernames like ‘admin’ most vulnerable to brute-force attacks.
The traffic-consuming nature of these attacks may lead to the excessive use of your server’s memory and may cause serious performance problems for your sites and applications. This is because the number of http requests (i.e. the number of times someone visits your site) is so high that the server runs out of memory.
This sort of attack is not endemic to WordPress only. However, the application’s popularity makes it a frequent target for brute-force abusers.
Here are a few very simple tricks to protect your WordPress site:
- Limit the access to the wp-admin directory by IP address
- If you are the only person who needs to log into your admin area and if you have a static IP address, you can deny access to the wp-admin folder to everyone but yourself via an .htaccess file.
- Create a file called .htaccess using a plain text editor or simply edit the existing one (if any) and add:
- Here x.x.x.x is your IP address. You can add multiple IP addresses by adding the line: allow from x.x.x.x in accordance with the number of IPs you wish to whitelist.
# Block access to wp-admin. order deny,allow allow from x.x.x.x deny from all
- Limit the access to the wp-login.php file by IP address
- You can also limit the access to your wp-login.php file inside your wp-admin/ area via an .htaccess file.
- Create a file called .htaccess or simply edit the existing one (if any) in the /wp-admin folder and add:
- Here x.x.x.x is your IP address. You can add multiple IP addresses by adding the line: allow from x.x.x.x in accordance with the number of IPs you wish to whitelist.
<Files wp-login.php> Order allow,deny Allow from x.x.x.x Deny from all </Files>
- Update your robots.txt file
- Add the following lines in your robots.txt file or create a file named robots.txt with the following content:
- This will essentially block search engines from indexing these URLs, as brute-force attackers generate lists of such URLs (intitle: Log In and inurl: wp-login) namely with the help of the major search engines.
- This method is more of a long-term prevention, as it will take a few months for the search engines to update this information, but it should make brute-force attempts disappear for good.
User-agent: * Disallow: /wp-admin Disallow: /wp-login.php Disallow: /administrator
- Protecting yourself from spam comments
- On another note, if you are receiving a large amount of spam comments on your WordPress site, you can deactivate the comment option by doing the following:
- Go to yoursite.com/wp-admin/options-discussion.php
- Uncheck ‘Allow people to post comments on new articles’
- You WILL need to go to all existing posts and to turn off comments there as well
- If you still want people to be able to comment, you might consider having them register first. In that case, check the box ‘Users must be registered and logged in to comment instead’.
Kind Regards,
Web Hosting team