phpsecuritywordpress

How to Protect Your WordPress Login from Brute-Force Attacks – Simple Approach?

To login to your wordpress blog admin dashboard, the wp-login.php is the file to visit. Many spammers will bruteforce passwords until they have it right. This not only puts your blog security at risk, also consumes the traffic bandwidth.

You could check your visit log and ban certain IPs however, this solution might not be general and effective if the attacks are from multiple/distributed IPs e.g. DDOS. The following solution is simple and yet powerful/effective. It works by hiding the wp-login.php or putting an extra lock, which only you know.

The approach is to edit the wordpress functions.php (preferrably in the child-theme template folder) and add the following lines of PHP code:

1
2
3
4
function login_protection(){  
    if($_GET['secret'] != 'helloacm') header('Location: https://helloacm.com');  
}
add_action('login_enqueue_scripts','login_protection');

Simply save the file, and next time, if you want to login to your dashboard, you have to call it like:

/wp-login.php?secret=helloacm

You could change the key and value pair accordingly to your favorite. Failure to pass the secret values will redirect the users to the home page, however, to make it better, you might want to return a 404 – not found error, which may confuse/mislead the attackers so that they abandon the brute force attacks.

1
2
3
4
5
6
7
function login_protection(){  
    if($_GET['secret'] != 'helloacm') {
        header($_SERVER['SERVER_PROTOCOL'] . ' 404 Not Found', true, 404);
        exit("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<html><head>\r\n<title>404 Not Found</title>\r\n</head><body>\r\n<h1>Not Found</h1>\r\n<p>The requested URL " . $_SERVER['SCRIPT_NAME'] . " was not found on this server.</p>\r\n</body></html>");
    }
}
add_action('login_enqueue_scripts','login_protection');

–EOF (The Ultimate Computing & Technology Blog) —

wordpress

wordpress