One of the negatives about open source software like WordPress is that it becomes an easy target for hackers and spammers.
We were experiencing speed issues as a result of high loads on our server with several services struggling to cope.
We identified that a number of WordPress installations were receiving a lot of traffic to the admin login page (wp-login.php), which indicates some attempted brute-forcing.
The number of login attempts was staggering: Here are the hits to ‘wp-login.php’ from one day alone:
Login attempts | domain name (hidden)
15 domainname01.com.au
17 domainname02.com
18 domainname03.com.au
19 domainname04.com
20 domainname05.info
22 domainname06.com.au
22 domainname07.com.au
22 domainname08.com.au
23 domainname09.org
46 domainname10.com.au
75 domainname11.com.au
94 domainname12.org
267 domainname13.com.au
502 domainname14.com
837 domainname15.co.uk
1515 domainname16.com.au
12159 domainname17.com.au
Quite often people will try to fix these issues or secure their installations by installing plugins that will try to block these brute-forces.
While this may secure the installation, it does nothing for the load generated by these requests as PHP is still invoked and has to process the request, do database lookups and block IPs, all of which consume CPU time. This is magnified as the requests generally come in quick succession.
Instead of this, what I recommend is to block access to the wp-login.php file completely using .htaccess “deny” rules. Once access it completely removed, you can allow specific IPs which you trust, while keeping everyone else blocked. By using .htaccess it means the request gets denied before it even gets to PHP, dramatically reducing the load caused by the requests.
To implement a block, just open up the main .htaccess file for a site and add the following lines to the top of the file:
<Files wp-login.php >
order deny,allow
# allow from x.x.x.x
deny from all
</Files >
ErrorDocument 403 Forbidden
To allow a legitimate IP, uncomment (remove the hash symbol) the “allow from x.x.x.x” line, and replace x.x.x.x with the IP you want to allow
These requests may not be the sole reason for the load spikes, but they will definitely be causing additional load and consuming CPU time which is better served in processing legitimate requests, especially with busy sites.
FAQ .htaccess
If you have not worked with a htaccess file before you will need to read on.
The htaccess file is one of the best things about php, unix hosting and wordpress. It is a very easy file to work with provided you follow the following ‘must-do’s’.
There are so many things that can be achieved with a htaccess file including blocking and redirection.
- the file must be named period.htaccess (.htaccess) no file extension
- it can be edited in notepad or any simple page editor file
- it must be uploaded and downloaded in ASCII
- the htaccess file is located in the root directory. Unix hosting means in /public_html/.htaccess
- if you have enabled ‘permalinks’ then there will already be a .htaccess file created. To create the login blocking described above, download the htaccess file (FTP, ASCII), and add the code above the existing code. Download Code here
- Google “whats my IP” to discover your IP Address