Protecting WordPress wp-admin / wp-login.php areas against dictionary attacks and DDoS

From lxadm | Linux administration tips, tutorials, HOWTOs and articles
Jump to: navigation, search

For some time, large botnet installations have been attacking WordPress installations from many IPs, sometimes the number of attacking addresses was tens of thousands:

In theory, if you use a strong password, you should be safe – but there is one more reason to worry: these kinds of attacks can bring your server to a halt or make it very slow - since for every such request the server executes PHP code, connects and sends queries to the database and so on.

Is there any way to protect against it?

In our experience, we’ve seen quite a bit of similar attacks. There are at least to way to protect against them:

The drawback is that if some botnet decides to send thousands of queries to, it still goes through PHP and database processing and is likely to overloadload your server.

  • If you use pache - use a simple .htpasswd protection – this way, even if you’re loaded with queries to your login URLs, they won’t put much load on your server, since PHP won’t be interpreted. The code you have to add to your vhost config looks like below:
<LocationMatch "/wp-admin|/wp-login\.php">
AuthUserFile /srv/www/auth/.htpasswd
AuthName "Password protected"
AuthType Basic

<Limit GET POST>
order deny,allow
allow from
deny from all
Require valid-user
satisfy any

Note that it has to go to Apache configuration for a given vhost, and not .htaccess file.