Continue Attack of Bruteforce on my wordpress site kidzeegames.com multiple login find for my website with. bruteforce try to login from admin panel or other users account and which make my site slow to run even some time crash my site. due to high volume of login request. Some one please provide some tips what to do in these situation. As I am using Shared hosting Of Arvixe. Thanks
#1 - Don't use the 'admin' username #2- Good Passwords #3- You can use the Enforce Strong Password plugin to force users to set strong passwords. Things to avoid when choosing a password: A word from a dictionary, in any language. A short password. Any numeric-only or alphabetic-only password (a mixture of both is best). Password Protect wp-login.php Password protecting your wp-login.php file (and wp-admin folder) can add an extra layer to your server. Because password protecting wp-admin can break any plugin that uses ajax on the front end, it's usually sufficient to just protect wp-login. To do this, you will need to create a .htpasswds file. Many hosts have tools to do this for you, but if you have to do it manually, you can use this htpasswd generator. Much like your .htaccess file (which is a file that is only an extension), .htpasswd will also have no prefix. You can either put this file outside of your public web folder (i.e. not in /public_html/ or /domain.com/, depending on your host), or you can put it in the same folder, but you'll want to do some extra security work in your .htaccess file if you do. Speaking of, once you've uploaded the .htpasswd file, you need to tell .htaccess where it's at. Assuming you've put .htpasswd in your user's home directory and your htpasswd username is mysecretuser, then you put this in your .htaccess: # Stop Apache from serving .ht* files <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> # Protect wp-login <Files wp-login.php> AuthUserFile ~/.htpasswd AuthName “Private access” AuthType Basic require user mysecretuser </Files> PHP: Plugins you can use - BruteProtect Limit Login Attempts Lockdown WP Admin WP Fail2Ban Admin Renamed Extended Enforce Strong Password Wordfence Security 3WP Activity Monitor All in one WP Security the strongest and the weakest point of any security is YOU, each and every time. http://codex.wordpress.org/Brute_Force_Attacks
Dude simply punt folks who try to log in more than 3 times and call it a day. Use this first http://wordpress.org/plugins/bulletproof-security/ takes about 2 minutes to config and then read the memo at the top of the wp admin and install the free brute force mod. N.
Thanks for nice tutorial I have already set basic changes like username changed already. password is very strong. i cannot set password protected for these directory (wp-login.php) because my site is user end any users can register and login to play games. so what i found bruteforce attack on these page wp-login.php continously try to login with several userid and multiple password. what i found more then 100000 login attempts from multiple PC thats why my site get slow
if you are having this error, i suggest that you try a different approach instead of going through login from wp-login.php use this plugin. http://wordpress.org/plugins/rename-wp-login/ then use cpanel to redirect wp-login to not found error, that way your server resources are not consumed, your site wont' be slow. read the documentation fully, and you may need to have a notification on homepage for new login url.
Those are some great plugins listed above, I use a few of those with great success. There's one called I think "login security" or something, it repels brute force attacks and makes them take extra long so that they eventually just give up.