Prevent Brute Force Attack on WordPress & Drupal
Posted by Nick Fredrich, Last modified by Bill Williams on 21 December 2015 09:59 PM
Brute Force attacks are one of the oldest and most common types of attacks that we still see on the Internet today. These attacks are often not very complex and are theoretically easy to stop and mitigate, but they still happen and are successful; mostly, because people are very bad at choosing good passwords, or employing good access control habits.
XML-RPC: CMS with XML_RPC are commonly attacked by BFA in attempt guess admin password and login to your WordPress, Drupal website.
We recommend that you disable all xmlrpc.php requests from the .htaccess file before the request is even passed onto WordPress or Drupal. Simply paste the following code in your .htaccess file
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all
This method is the simplest way to prevent attack but may disable certain remote features of CMS. You can explore other more complex methods of achieving the same if required.
WP-LOGIN: There have now been several large scale WordPress wp-login.php brute force attacks, coming from a large amount of compromised IP addresses spread across the world. A large botnet of around 90,000 compromised servers has been attempting to break into WordPress websites by continually trying to guess the username and password to get into the WordPress admin dashboard.
We recommend that you secure wp-login.php requests from the .htaccess file before the request is even passed onto WordPress. Simply paste the following code in your .htaccess file
# Block WordPress xmlrpc.php requests <Files wp-login.php> order deny,allow deny from all
The above are preliminary steps to secure your CMS. We recommend reading the links below for additional steps to secure your WordPress installation.