They Tried to Hack My Blog – Keeping Your WordPress Site Secure

WordPress is a free and open-source content management system based on PHP & MySQL. Many blogs and websites use WordPress around the world. And the more popular it is the more attacks it will get from “bad” people. There are a couple of ways to reduce the attack surface of your WordPress website either by making some adjustments to your WP installation or using the facilities provided by your hosting provider.

So, what happened on this beautiful Saturday morning? This morning when I woke up I wanted to write a blog post about react-native. Launched my browser, went to my login page, enter my credentials and hit Login… Boom… Login was disabled due to some brute force attacks.

First, in my hosting provider’s cPanel I checked the GET and POST requests for the login page (wp-login by default).

It was pages and pages of these logs with IPs from around the world (France, UK, Thailand, USA etc). Hundreds of GET and POST requests were made to the login page of my blog.

First, I thought I would add “deny from” entries to my .htaccess file. Like this:

Then I thought this was not a very practical way of achieving what I wanted. I mean blocking malicious and automated attacks to my login page. How can I deny all of them, right? These bots will just keep on coming from many different IP addresses.

Another way could be to allow only a single IP or a subset of IPs to my login page in .htaccess. Like this:

Change 123.123.123.123 with the IPs you want to allow.

But my machine gets IPs dynamically and I don’t know the possible set of IPs my machine can get in different work environments I visit.

So I decided to go with another less restrictive, more practical way. Most brute force attacks rely on sending direct POST requests right to your wp-login.php script. You can protect your WordPress site by only allowing login requests that come directly from your domain name. Simply replace example\.com with your own domain name below.

Requiring a POST request to have your domain as the referrer will help filter out the bot requests and keep your site unblocked $ secure most of the time. Let’s see how this will work out.

P.S. This is not -by far- a complete WordPress security guide. Here, I am just proposing some alternatives against bot attacks that can put your site down or get it blocked by your hosting provider.

Hope this helps.
Good Luck,
Serdar