Protecting WordPress wp-admin / wp-login.php areas against dictionary attacks and DDoS

For some time, large botnet installations have been attacking WordPress installations from many IPs, sometimes the number of attacking addresses was tens of thousands:

http://www.h-online.com/open/news/item/Large-botnet-attacks-WordPress-installations-worldwide-1841950.html

In theory, if you use a strong password, you should be safe – but there is one more reason to worry: these kinds of attacks can bring your server to a halt or make it very slow - since for every such request the server executes PHP code, connects and sends queries to the database and so on.

Is there any way to protect against it?


In our experience, we’ve seen quite a bit of similar attacks. There are at least to way to protect against them:

The drawback is that if some botnet decides to send thousands of queries to http://example.com/wp-login.php, it still goes through PHP and database processing and is likely to overloadload your server.

  • If you use pache - use a simple .htpasswd protection – this way, even if you’re loaded with queries to your login URLs, they won’t put much load on your server, since PHP won’t be interpreted. The code you have to add to your vhost config looks like below:

Note that it has to go to Apache configuration for a given vhost, and not .htaccess file.