Prevent server unusable on wordpress bruteforce attacks

elijabaley asked:

I admin a server with lots of wordpress installations on it. Searching a solution to prevent high CPU on bruteforce attacks, this make the server unusable some hours a day.

These are the targets:

  • Referer detection is not enough (EXAMPLE) (already tried this solution but hackers that attack me can get around it and fill CPU anyway).
  • Password protection on “wp-login.php” via .htaccess is not a good solution (EXAMPLE) (company requirements).

My answer:


I wrote a WordPress plugin which you will probably find helpful.

Bad Behavior has a good track record of stopping these sorts of brute-force attacks. It’s sort of a minimalist web application firewall which blocks link spam and some other malicious traffic very early, before all of WordPress is loaded, saving CPU and other resources. (I say minimalist because what can be done only at this layer is minimal compared to what you can do in the web server or even with a separate appliance, though it was designed for people with no other option.)

You’ll find it in the WordPress plugin repository.


Since you run the server, you may also want to use ModSecurity with the Core Rule Set. Many of Bad Behavior’s rules are reimplemented here (look for my name and/or Bad Behavior’s name in them) and the ruleset also contains many other rules which may be helpful to you.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.