WordPress Plugins and Themes

Login Brute Force Protection

13 Replies ·

  1. Hi all,

    Anyone track your site login attemp?
    How much do you get?
    I got tons every single day. Trying to guess username and passwords.

    Of course in a good hosting usually there’s some firewall mechanism to track excessive process/activity and ban IPs system. But it’s still a concern in wp sites.

    And the attack still there.
    You can use longest passwords, two factor auth, etc.
    But if the attack still occur, you still lose server resource(?)

    If you use hosting that calculate your cost by page view, this is bad right? Anyone using wp engine?
    ( Note: I’m not using wp engine. )

    And banning IP addr. Using login lockdown or similar plugin is only temporary solution(?) They seem to have unlimited IPs.

    What’s your solution for this?

    Thank you.

    Note: edited for clarity.

  2. David Chandra

    Thank you Sami,
    I’ll try the plugin. Currently I use https://wordpress.org/plugins/login-security-solution/

    Yesterday I create custom protection for wp-login.php
    I test it in my site http://shellcreeper.com and it seem to be working fine.

    try and login to my site.
    http://shellcreeper.com/blog/wp-login.php

    Usually i got several login attempt every couple hour.
    So far (around 24 hour) no login attempt.

    well, because i practically disable it.

    It’s still unpolished.
    And currently only suitable for one-man site (not for membership site).
    And I will soon implement it to my other sites.

    Here’s the walk through of the code,
    maybe it can give someone inspiration.

    1. Create “Hidden” Login Template

    – create custom url var something like http://site.com?mykey=myvalue
    – if using this url, load custom template, this is to replace “wp-login.php”.

    2. Disable wp-login.php login action.

    wp-login.php is used as central activity for login, logout, reset pass, etc.
    even if you create login form using wp_login_form() it simply submit it to wp-login.php and wp-login.php will do the action.

    It’s tricky, because what we want is to disable login functionality in wp-login.php
    and not the other functionality.
    and we also whitelist the action from our “hidden” login form. so all login functionality need to be done via “hidden login”.

    3. In “Hidden Login Template”.

    Create simple login form using wp_login_form() but add a custom/additional nonce.
    this nonce will be whitelisted in wp-login.php so this only this form will work for login.

    4. Unnecessary complexity.

    Well, as always, i create more to play arond, so i also create a “fail login template” for visitor who try to login via wp-login.php.
    this is unnecessary, we can always just redirect them to home page or somewhere else.
    i also change the login logo πŸ™‚

    well, that’s pretty much it.

    and here’s my “Hidden Login” Page: http://shellcreeper.com/?logme=in
    >> Check my footer navigation menu.
    (maybe i’ll change the url in several days.)

    several issue:

    1. The login pop up in the admin when session expired. (not tested yet, unknown result).

    2. What if i add the “hidden login” url in navigation menu. this will be interesting test.
    I currently add it in footer navigation.
    Can these machine find this (not so) hidden login link?

    other protection i build for my site:

    > login notification:
    so everytime a user login i will get an email.
    there’s several plugin to do this. but it’s a simple functionality, so i just write a quick code.

    it’s inspired by my hosting/server. it always send me email everytime i login as root user with data such as IP address etc.

    I think it’s a cool protection. very useful.

    plugin idea:
    create this plugin with user option, so they can check/select from their profile page to send them email everytime they login to the site.
    I think i’ll even force this option for my managed clients.

  3. Justin Tadlock

    This is by no means a great solution, but it’s one that can be part of your toolset: https://wordpress.org/plugins/custom-login-url/

    Basically, it changes your login URL to something of your choosing. Sometimes, it’ll work against bots trying to get in. Sometimes, it won’t. It’s probably no more useful than changing the “admin” username, but can stop some scripts.

  4. David Chandra

    Actually that plugin is very different.
    That plugin purpose is to change the login url using rewrite rule.
    So if we visit login url it will be redirected(?) to custom url.
    So it’s not too hide login but to simply change the url.

    What I build is to disable it.
    I think it’s completely different purpose.

    more like security through obscurity?
    The same security by not sharing our password πŸ™‚

  5. Justin Tadlock

    Does it redirect? If so, that’s not helpful. I was thinking it or another plugin like it didn’t redirect. But, yeah, “security through obscurity”.

  6. marty

    Actually I don’t think it redirects.
    Here’s another one I’ve used but I think it does the same thing.
    https://github.com/iseulde/rename-wp-login
    From their readme:

    It doesn’t literally rename or change files in core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress website. The wp-admin directory and wp-login.php page become inaccessible, so you should bookmark or remember the url.

    It could help. I think a lot of these bots look for /wp-login or /wp-admin.

    Also, I use WP Engine and to my knowledge they just pre-install the Limit Login Attempts plugin in the MU folder https://wordpress.org/plugins/limit-login-attempts/

  7. David Chandra

    @justin: thank you for the plugin link btw.

    @justin + @marty:
    I think it redirect regular login to new url:
    https://wordpress.org/support/topic/error-404-page-not-found-after-install

    But i’m not sure about it too.

    @marty:
    Rename wp login plugin currently unmaintained πŸ™‚
    But it’s still tagged as 4.1 compatible.
    It’s actually interesting to see two completely different method to accomplish exactly the same thing πŸ™‚

    Actually the plugin I currently use for login limit:

    Login Security Solution


    It’s a fork from limit login attempt plugin with multisite compat.

    That only thing I don’t like is that plugin force user to use min 10 character for their password. I understand that this functionality is related to main plugin functionality, but I think it’s a little out of scope.

  8. David Chandra

    @justin: thank you for the plugin link btw.

    @justin + @marty:
    I think it redirect regular login to new url:
    https://wordpress.org/support/topic/error-404-page-not-found-after-install

    But i’m not sure about it too.

    @marty:
    Rename wp login plugin currently unmaintained πŸ™
    But it’s still tagged as 4.1 compatible.
    It’s actually interesting to see two completely different method to accomplish exactly the same thing πŸ™‚

    Actually the plugin I currently use for login limit:

    Login Security Solution


    It’s a fork from limit login attempt plugin with multisite compat.

    That only thing I don’t like is that plugin force user to use min 10 character for their password. I understand that this functionality is related to main plugin functionality, but I think it’s a little out of scope.

  9. David Chandra

    One of the issue is for membership sites,
    where we are not the only person using login mechanism in the site.

    it’s almost a day after i add login link to the site footer, and i got zero login attempt.
    so it’s probably save to say that most attack is simply targeted to wp-login.php and wp-admin (since it will redirect to wp-login.php.)

    So i think just by creating custom url can reduce most of (mass targeted) brute force attack.
    And probably to add this “hidden” url in the site publicly will not invite attack.

    However, I still think I can improve the system,
    So I create a dynamic “temporary” login url.

    So i think in my sites for public login link, it’s best using this “Temp” login link
    (to add this link in navigation or sidebars).

    I think we can just use “temp” login url for all login purpose,
    but the problem is we cannot bookmark it, because it’s dynamic,

    so i think i’ll keep the “hidden” login url feature,
    but if we need to bookmark we can use the “hidden” login url.

    here’s the result.
    http://shellcreeper.com/?logme=request_url

    using nonce will make the url only valid for around 24 hour(?).
    can be filtered with shorter exp. time if needed, but i think i’ll leave it as is.

    I also add the link to “request temp” url in the “failed” login page.
    http://shellcreeper.com/?logme=fail

    and another info, the pop up login box in admin when session expired is called “interim login”,
    simple to solve, add it in white list, and it’s working fine.

  10. redactuk

    A bit of a belated reply to this, but this plugin does pretty much everything you need:

    iThemes Security (formerly Better WP Security)

    Quite possibly the best plugin I’ve ever used for my Wordpress sites and takes care of so many areas of security in just one plugin + continually being updated and improved.

  11. David Chandra

    Thank you redactuk,

    I always “scared” to install “big” plugin, (such as SEO, W3TC).
    I even want to escape from JetPack, but failed πŸ™‚

    I’ll try it when I have the time to test it all.

    I have a procedures where I need to test each update in test/staging site and update the site only after each updates is tested. And it’s harder with “all-in-one” plugin solution.
    I’m considering to change this workflow btw (not sure yet).

    but i agree, I think better wp security / iThemes Security is probably the best security plugin for wp.