Limit brute force attacks for WordPress websites

On of the biggest issues for WordPress attacks are brute force attacks. Even a smaller website might slow down your server if a bot is trying to hack your website or is sniffing for vulnerable files or locations.

By default each page request to a WordPress website will produce several database queries. Also page requests for non-existing pages and files!

Just try, enter your sites homepage and add something like 123flowers.jpg to the URL. You will get a 404 page with all the database queries behind!

The 404 error page is just one problem if your website is based on WordPress. Find on this page several tweaks I use to keep the memory usage low and my server quiet :)

Prepare yourself and your WordPress website

  1. Use always a cache plugin, I use WP Super Cache in mod_rewrite mode
  2. It’s important that your static files are served by Nginx or a CDN
  3. Monitor your websites frequently (check the log files for uncommon access)
  4. Install the “Protect” module from Jetpack to prevent many brute force attacks for your login page
  5. Fight SPAM, I use this plugin and keep most spammers away from my website
  6. Use Cloudflare as your DNS provider, even the free plan will help

Prevent 404 errors for static files

Add the following code at the top of your .htaccess file to prevent the call of your 404 error page for non existing files like images or JS/CSS files. The code below will return a 404 error without to load any PHP files.

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_URI} \.(jpg|jpeg|png|gif|bmp|ico|css|js|swf|htm|html|txt|php|asp|aspx)$ [NC]
    RewriteRule .* - [L,R=404]

More help by brute force attacks

  • The WordPress codex page related to brute force attacks
  • The 5G firewall rules, use them in your .htaccess file

I will update this page from time to time and add new scripts and resources that might help to keep your WordPress website fast and safe.