Protecting WordPress wp-admin / wp-login.php areas against dictionary attacks and DDoS
For some time, large botnet installations have been attacking WordPress installations from many IPs, sometimes the number of attacking addresses was tens of thousands:
In theory, if you use a strong password, you should be safe – but there is one more reason to worry: these kinds of attacks can bring your server to a halt or make it very slow - since for every such request the server executes PHP code, connects and sends queries to the database and so on.
Is there any way to protect against it?
In our experience, we’ve seen quite a bit of similar attacks. There are at least to way to protect against them:
- Use a dedicated WordPress plugin, like this one: http://wordpress.org/plugins/lockdown-wp-admin/. The plugin lets you change the login URL (i.e. instead of using http://example.com/wp-login.php, you would be using http://example.com/privatelogin
The drawback is that if some botnet decides to send thousands of queries to http://example.com/wp-login.php, it still goes through PHP and database processing and is likely to overloadload your server.
- If you use pache - use a simple .htpasswd protection – this way, even if you’re loaded with queries to your login URLs, they won’t put much load on your server, since PHP won’t be interpreted. The code you have to add to your vhost config looks like below:
<LocationMatch "/wp-admin|/wp-login\.php"> AuthUserFile /srv/www/auth/.htpasswd AuthName "Password protected" AuthType Basic <Limit GET POST> order deny,allow allow from 127.0.0.1 10.0.0.0/24 deny from all Require valid-user satisfy any </Limit> </LocationMatch>
Note that it has to go to Apache configuration for a given vhost, and not .htaccess file.