3 Ways to Prevent wp-login.php Brute Force Password Hacks

One of our virtual servers experienced a brute force password hack where a bot net of 1000’s of compromised computers attempted at guessing the admin|root password to gain access to our WordPress site.

Of course, if you are using WordPress.com as your blog, you don’t have to worry about it too much since the hack is trying to break into the admin user name.  Regardless, you should use a strong password in the event that they start using your user name which is basically the same as the subdomain-name.wordpress.com.

There is no excuse for having breakable user names and passwords anymore especially when you can use tools such as RoboForm or EverNote to remember that stuff for you.

Disable all access to wp-login.php

So if you happen to manage your own server, you can do something like this:

Apache conf command to prevent access to wp-login during brute force attackswhere you change the Apache conf file for the site. Since 3doxies.com is no longer published using the WP platform, it is safe to block it this.

But what if you still want to login to WP

Then you need to block everyone out but your IP. What to do then is modify your .htaccess file.

#terminate brute force attack traffic with 403 for-bot-gone
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^aaa\.bbb\.ccc\.ddd$
RewriteRule ^(.*)$ - [R=403,L]

Change the aaa.bbb.ccc.ddd with your IP address.

Change your user name to something other than admin or root

The easiest way to change your user name is to use phpmyadmin or HeidiSQL. The table you want to modify is wp_users. Change “admin”  in user_login column to something else.  I don’t believe you need to change the user_nicename to the same thing, but I did for consistency.

If you have a WP Multisite, Change that too

After you change your admin user name, you will not be a super administrator to your multisite WordPress platform. To fix that you need to change the “site_admins” meta_key in the wp_sitemeta table to the same thing. The data is a serialized php object containing something like { … s:5:”admin” … }.  Change the “admin” to the new value and change the “5” to the number of characters in the new user name.