Securing Your Site Against Brute Force Attacks
One of the most common abuse scenarios on a shared hosting server is brute force attacks against login pages. There are millions of bots out there constantly crawling and finding login pages, once a login page is found they launch an attack to try and guess the user-name and password. This can cause performance problems on your site and even the entire server. I will share some ways in which you can protect your website from these attacks.
Using .htaccess To Limit Access By IP
This is very strict but also very secure. You can limit access to a folder or specific file to the IP or IPs that you specify. On multi-user sites you might want to look at a plugin or extension to provide brute force protection with more flexibility.
I will give 2 examples that you can use to cover a directory lock and a file specific lock.
Example 1. Lock By File
For Wordpress a file specific lock will work, we want to lockdown wp-login.php as this is what the bots will be targeting. Navigate to your Wordpress install directory and check for a .htaccess file. Make sure in your file manager that "Show Hidden Files" is selected in your file manager settings (bottom right). You most likely have one there already, if not go ahead and create one. Now add the following to the file:
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 123.123.123.123
</Files>
Replace 123.123.123.123 with your IP. If you are not sure what your IP is you can check it on this page: http://fluidhosting.com/whats-my-ip.php
Important: Be sure you know whether or not your IP is static or dynamic. If you do not know contact your ISP and they will be able to tell you. If you add this protection and your IP changes you will be locked out of your login page.
Example 2. Lock By Directory
For Joomla directory style lock will work well for limiting access to the administrator login. Navigate to your "administrator" directory and check for a .htaccess, if there is not one than create one and add the following:
# Lock directory accept for listed IP
Order Deny,Allow
Deny from all
Allow from 123.123.123.123
Replace 123.123.123.123 with your IP. If you are not sure what your IP is you can check it on this page: http://fluidhosting.com/whats-my-ip.php
Important: Be sure you know whether or not your IP is static or dynamic. If you do not know contact your ISP and they will be able to tell you. If you add this protection and your IP changes you will be locked out of your admin directory.
Brute Force Protection By Plugin, Extension, Module, Etc.
Most CMS, forums, blogging platforms will have a the ability to add brute force protection through add-on scripts. Here is a list of places you can find these add-ons for the more popular platforms.
Wordpress: https://wordpress.org/plugins/tags/brute-force
Joomla: http://extensions.joomla.org/extension (search for "brute force")
Drupal: https://www.drupal.org/project/project_module (search for "brute force")
Lately another common attack point for Wordpress is xmlrpc.php so if you are not using this I suggest locking it down completely with:
<Files xmlrpc.php>
Order Allow,Deny
deny from all
</Files>
Many people do not need xmlrpc.php functionality but be sure to check if your site may be using it. Jetpack for example requires it for much of it's functionality as do iOS WordPress apps, and the pingback / trackback functions of Wordpress.
Note: .htaccess methods will not work if you are on Windows hosting.
