Couple of night ago, one of my developed site was facing the infamous Brute Force attack. The attack cause a high spike in server load and the tier-1 dedicated server that i’m hosting the site are down for couple of days. This is really bad for the site revenues and traffic.
Asking the dedicated hosting support staff to do some checking because i cannot login to the hosting control panel since its lockdown from server high load spike. To my suprise, the hosting support staff confirmed that my site were facing a brute force login attack. Over 75,000 login attempt were recorded in server log and all activity had the same IP pattern.
So i requested some insight on How to solve this issue from the hosting support staff, the response was to strengthen the password for ‘admin’ username since the login attempt mostly focus on this username. Second step is to add /wp-admin/ password access into .htacess. Basically its like the Google 2 step login confirmation. However this will be a troublesome step since the website that was attacked is a membership WordPress site that had more than 1000 users.
And then begin my research on How to Prevent Brute Force Login Causing Server High Load. Looking through WordPress Plugin Repository and i found one Captcha WordPress Plugin that simple enough to setup without any extra unnecessary settings. Just download, activate and choose where you want the Captcha active. It can be active in login form, register form, lost password form, comments form and contact form also. In my case, i only active the Captcha in my Login Form only.
After installing the Captcha WordPress Plugins, the website server activity went back to normal, one might say its faster maybe 🙂 Using Captcha or similiar plugin can prevent excessive $POST request from login attempt since a wrong Captcha code will cause wp_die() to initiated and hence lower the risk of server high load from brute force login attack.
You can download the Simple Captcha WordPress Plugin here to start protecting your valuable WordPress website from any future Brute Force attack. Hopefully this extra easy step can reduce or prevent the gruesome ‘headache’ from dealing with hosting and website down for couple of days like me.