Series: Thoughts and Proof of Concepts

Fighting Brute Force Attack in WordPress

wordpress--brute-force-protection

Brute Force Attack is a daily problem for WordPress sites. What’s interesting is that you cannot prevent it from happening. It’s unavoidable. You can only make harder for the attacker to attack your sites.

If we use CMS with login feature to manage our content, we cannot remove/disable the login functionality because we need it to get access to manage the site.

You can use the strongest password, two factor authentication, etc. But it will not stop the attack to your site.

Every single login attempt will cost you server resource. You cannot cache this page to reduce the impact because WordPress need to validate each login attempt.

They can try to get access to your site, and fail. But they still can make your server collapse.
( or make you pay a lot of money if you use hosting that calculate price by pageviews )

But, we can try to discourage attacker by blocking IP addresses they use. If you use relatively good hosting, you probably have firewall system installed in your server to log and block attacker. But you can also install security plugin to add another layer of security. Several plugin for WordPress brute force protection:

  • Limit Login Attempts : un-maintained plugin, if I’m not mistaken WP Engine auto-activate this plugin for sites hosted there.
  • BruteProtect : Use their server to log IP addresses, kinda like Akismet for brute force attack. You need to register to their site to get API key for each of your site. Currently owned by Automattic.
  • Login Security Solution : similar with limit login attempt, maintained. And have multi-site support. This is the plugin I’m using.
  • And a lot more alternative…

It will reduce their attack, but because they seem to have unlimited number of IP Address, it’s actually (kinda) useless method to try to discourage them.

never give up

Quoting from Matt Mullenweg:

Supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn’t going to be great (they could try from a different IP a second for 24 hours).

You can also read other sources to understand the scale of the attack:

Every single day in each sites I got hundreds of failed login attempt. Probably tens of thousands if it’s not protected by firewall and security plugins. It happen in every single site. Not even one site is free from brute force attack.

Several days ago, I ask for advice at Theme Hyrid Forum (private forum replies). I got several response. And from their response I create a custom solution for my sites and my clients sites.

I tested it in 10 different sites for 24 hours, the result is amazing. I got almost zero login attempt.

Even though it’s still premature to say that this solution is working. In this post I would like to share the custom solution I build to solve this problem. Read More Fighting Brute Force Attack in WordPress

My WordPress Journey

I started my online life just as a hobby. The idea to make money online is interesting to explore. Almost no reason, just ’cause.

I created my first blog on blogger and purchased my first domain from Google Apps. Register to Google Adsense and think that I’ll start making $$$. I was wrong. It’s tough, need a lot of dedication. I need to learn SEO, content research, etc. Read More My WordPress Journey

jp

Jetpack Complex is a term used to describe a piece of software, a plugin or a theme in WordPress universe, that attempts to do too much and becomes painful to use for the user. An example of Jetpack Complex would be a plugin to display video that also tries to be your spelling and grammar checker program, sharing tool, and even contact form, resulting too much hard drive usage, server memory, and user time for maintenance by updating the part of the software they don’t actually use. 0

I can zoom and scroll horizontally a lot easier on mobile browser than using regular desktop browser. Why do they make it all one column? Where is the sidebar with all the useful links, popular posts, latest comments, etc. Why something as important as sidebar have to be at the bottom of the page when i can just use my thumb to slide and access the sidebar?

Do your user/visitor really need one column fluid layout responsive design? Do you? 0

Better Responsive Design with `wp_is_mobile`, Why Responsive Design is Not Enough

What is wp_is_mobile ?

wp_is_mobile is a WordPress function to detect user/visitor browser using user agent string. Some might think that this method is like prehistoric era. An era before we have responsive design. Web developer use user agent string to serve different website content to mobile user or redirect to mobile site, something like m.website.com.

So why WordPress, a CMS of the future have this function? Why WordPress still need this and use this function all across admin pages?

What Responsive Design Cannot Do

Responsive design is awesome, we can style based on browser width so the design can be useful and better for user using any device.

But there’s one problem…

Read More Better Responsive Design with `wp_is_mobile`, Why Responsive Design is Not Enough