Prevent server unusable on wordpress bruteforce attacks

Question

I admin a server with lots of wordpress installations on it. Searching a solution to prevent high CPU on bruteforce attacks, this make the server unusable some hours a day.

These are the targets:

Referer detection is not enough (EXAMPLE) (already tried this solution but hackers that attack me can get around it and fill CPU anyway).
Password protection on "wp-login.php" via .htaccess is not a good solution (EXAMPLE) (company requirements).

Out of interest, why is the company policy not to allow password protection? — Drew Khoury, Aug 22 '13 at 04:51
Found a good way to follow!!! Used the solution "make it harder to find" Drew Khoury I changed the wordpress login address using this plugin: http://wordpress.org/plugins/rename-wp-login/
ADVANTAGE: Id doesen't broke all the wordpress functionalities that use wp-login.php and maintains cosistence through different versions of wordpress. So, a good protection stack i my experience is now: *NO "admin" username *NO easy passwords *YES Referer Detection *YES change wp-login address — elijabaley, Aug 27 '13 at 07:55
@DrewKhoury Company don't like apache password protection because is considered not professional having 2 username/password couples for customers that need access to our websites — elijabaley, Aug 27 '13 at 08:05
Go figure. Not professional to offer more security ;) anyway glad you found a solution that worked for you, that's the main thing! — Drew Khoury, Aug 27 '13 at 13:53

score 0 · Answer 1 · answered Aug 21 '13 at 09:07

I can think of a few possibilities right off the top of my head; in order of roughly increasing invasiveness to legitimate users:

Rename wp-login.php to something else? (Needs to be maintained when upgrading, relies on security through obscurity, but should stop most non-targetted scripted attacks with a minimum of trouble for legitimate users.)
CPU-limit the web server process? (Causes the web server to become somewhat more sluggish during request floods, but should allow server maintenance even in the face of heavy onslaught; even just 5% remaining CPU should be plenty. May need coordination with the database server process as well.)
Rate-limit requests to wp-login.php in a front-side load balancer or firewall? (Will give legitimate users trouble during a request flood, but at least the rest of the server including public access to blog content should keep churning along happily.)

Michael Hampton · Answer 2 · 2013-08-21T11:46:12.200

I wrote a WordPress plugin which you will probably find helpful.

Bad Behavior has a good track record of stopping these sorts of brute-force attacks. It's sort of a minimalist web application firewall which blocks link spam and some other malicious traffic very early, before all of WordPress is loaded, saving CPU and other resources. (I say minimalist because what can be done only at this layer is minimal compared to what you can do in the web server or even with a separate appliance, though it was designed for people with no other option.)

You'll find it in the WordPress plugin repository.

Since you run the server, you may also want to use ModSecurity with the Core Rule Set. Many of Bad Behavior's rules are reimplemented here (look for my name and/or Bad Behavior's name in them) and the ruleset also contains many other rules which may be helpful to you.

score 0 · Accepted Answer · answered Aug 22 '13 at 05:25

There are plenty of things you can do to stop the attackers chewing up your resources.

(re)consider using password protection for admin areas

You may have valid reasons not to use this on all or some sites, but please don't underestimate the usefulness of this technique. Use wherever possible.

By requiring users to login at the web server level you minimise the damage attackers can do, limit the resources required to deal with these attacks, and further protect your websites that may have vulnerabilities.

restrict admin login to a ip-whitelist (web server)

You can deny access to parts of your website. Even if you have to open up a rather large subnet of IPs, it's better than letting the whole world in!

In nginx it might look something like this:

location /wp-admin {
  # block one workstation
  deny    192.168.1.1;
  # allow anyone in 192.168.1.0/24
  allow   192.168.1.0/24;
  # drop rest of the world
  deny    all;
}

make it harder to find

Brute-force attacks make a number of assumptions. If you can rename your wp-admin folder, rename wp-login.php or run wp-admin on a non-standard port then you won't have to spend your precious resources trying to valid these brute force logins.

try fail2ban

http://wordpress.org/plugins/wp-fail2ban/

fail2ban is one of the simplest and most effective security measures you can implement to prevent brute-force password-guessing attacks.

fail2ban has some interesting features:

Block attempts to login with incorrect username

Many attackers attempt to login with common usernames, such as admin. It's good practice not to use these usernames, in which case you can block anyone who attempts to login with them.

WPf2b now allows you to specify a regex that will shortcut the login process if the requested username matches

define('WP_FAIL2BAN_BLOCKED_USERS','^admin$');

ip-whitelist (fail2ban)

The idea here is to list the IP addresses of the trusted proxies that will appear as the remote IP for the request.

define('WP_FAIL2BAN_PROXIES','192.168.0.42,192.168.0.43');