Loading...

Bariatu Ranchi

+91 7504 289838

Get in Touch

Secure WordPress for Brute Force Attack

Home -
Secure WordPress for Brute Force Attack

Secure WordPress for Brute Force Attack

Aug 21, 2024

As we all know that WordPress websites are always vulnerable and many attacks attack our website.

Most common attack for WordPress are the Brute Force attack which tries to steal our login credentials.

This blog is related that only and here I will let you know the steps which I have followed to secure my website.

For BruteForce attack, the attacker sends a POST request on our login url with some username and random password using some sort of password.

Request can be like : 

$url = 'https://example.com/wp-login.php';
    
$data = [
    'log' => "admin",
    'pwd' => md5(uniqid(rand(), true)),
    'wp-submit' => 'Log In',
    'redirect_to' => 'https://example.com/wp-admin/',
    'testcookie' => '1'
];

// Initialize a cURL session
$ch = curl_init($url);

// Set cURL options
//curl_setopt($ch, CURLOPT_PROXY, $proxy);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));

// Set HTTP headers (if required)
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/x-www-form-urlencoded',
]);

// Execute the cURL request
$response = curl_exec($ch);

Using the above script the attack can send random password to our website and see if the response has HTTP code as 302 , at that time they know they have cracked the password.

Also for each request it uses a lots of server resources like DB connection, DB queries which increases the load on the server and sometimes the server gives 502 Error.

In order to do some security , you can install Google Authenticator plugin which will always ask a google otp code for login to be success.

Most attacker donot send this extra parameter when they are doing brute force. But even if they are not sending googleotp code they will still use a lot of resource.

Here in this article I will explain how we can check if googleotp code is not present then donot initialize the WP at all and send 400 error to the response.

At the top of your wp-config.php file you can add below line of code so that it will block immediately and donot use much resource.

if( strpos( $_SERVER["REQUEST_URI"], "wp-login.php") > 0  &&
	( ! ( isset($_REQUEST['action']) && ($_REQUEST['action'] == "lostpassword") ) ) &&
	$_SERVER['REQUEST_METHOD'] == "POST" &&
	empty( $_POST["googleotp"] )
) {
	http_response_code(400);
	die('Invalid Request');
}

/**
 * The base configuration for WordPress
 *

By doing this, the WP will check if the request is login with POST request and donot have googleotp in the param it will immediately send 400 error and it wont make any database connection.

The above code is handled for lostpassword case as lostpassword also uses wp-login.php?action=lostpassword URL.

I hope this article is helpful. Let me know your thoughts on this.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Popular Post

How to setup server cron in WordPress

There are many times we have seen that our WordPress cron does not work as expected or always. By default WP cron runs when they receive a traffic on the server but this is an old approach and many people use latest approach by disable the WP_CRON and enabling it via...

Delete WP Post Thumbnail with Post

There are situations when we want to delete the post thumbnail image along with when we are deleting the post permanently. If we do not do so, the media is present and takes up storage space. Here is a code snipped that will delete the post thumbnail when we delete...