Brute Force Attack Workaround

My webserver has come under several brute force attacks in the past couple of weeks. Today, my service provider blocked access to wp-login by making changes to my .htaccess file. Since I’m using S2Member to protect content on my site, blocking access to wp-login also blocks my customers from viewing their content. That’s correct, isn’t it?

So my question is, how can I work around the issue of brute force attacks against wp-login and still provide access to my customers?

Check out the plugin “Limit Login Attempts” ( http://wordpress.org/plugins/limit-login-attempts/ ).

This drastically reduced the amount of brute force password attacks on the Admin user. Just make sure that you set high enough hours for the locking period. I usually set these values:

5 login attempts than 30 minutes locking period.

After two times of the above login tries I block the access for this IP for two days.

BTW I think you should think about switching hosting providers – fiddling with your htaccess-file without contacting you would be a no-go for me.

Take care
Alex

Check out the plugin “Limit Login Attempts” ( http://wordpress.org/plugins/limit-login-attempts/ ).

This drastically reduced the amount of brute force password attacks on the Admin user. Just make sure that you set high enough hours for the locking period. I usually set these values:

s2Member actually has this exact same functionality built in here:

Knowledge Base » s2Member® Brute Force IP/Login Restrictions

So my question is, how can I work around the issue of brute force attacks against wp-login and still provide access to my customers?

s2Member can only provide so much protection using IP Addresses here:

Knowledge Base » s2Member® Brute Force IP/Login Restrictions

If you’re having a problem with Brute Force attacks, this is something that has to be dealt with on the server-side, I’m afraid. s2Member’s Bruce Force Login Restrictions will help you, but IP Addresses are possible to be spoofed (faked), which is likely what happened in your case. You’ll have to contact your hosting company about that.

Thank you very much for your responses. I’ll definitely use the feature in s2Member. I also spent some time yesterday modifying my own .htaccess file to do four things:

1. Detect when a POST is being made
2. Check to see if the post is on wp-comments-post.php or wp-login.php
3. Check if the referrer is in my domain(s) or if no referrer
4. Send the spam-bot BACK to its originating server’s IP address.

The article about what I did is here: http://victorfont.com/securing-wordpress-from-brute-force-attacks/