WordPress login rate limiting (again)
We’ve talked before about WordPress login rate limiting. Attempts to guess WordPress administrator passwords are an ongoing problem, getting worse all the time.
The average WordPress site we host has received tens of thousands of malicious login attempts this month, with hundreds of thousands of different IP addresses being used in the attacks. We try to block the IP addresses that are responsible, but the ever increasing number of addresses means we can’t block all of them — an individual address often attempts a login only once a day for a given site. We need to adopt other tactics.
So we now track other information about visitors to see if they’re legitimate when they attempt to login. In particular, we make sure that visitors have visited the WordPress login page on a site before they send a login “POST” request with a username and password. If they haven’t, we redirect them back to the login page.
This rule blocks the vast majority of fake login attempts, and it should cause no problems for legitimate logins: in the worst case, the login screen might be redisplayed to a human visitor. Let us know if you have any problems with that happening.
You can do your part, too. Never use a password that appears in any dictionary, and never choose an “obvious” password related to your site. In the last month, we’ve seen two WordPress sites hacked because the owners used their real name (visible as the “author” of each post on their site), or the site name, as their password. The automated software that hackers use can “scrape” words like that from pages and submit them as an attempted password. Always use something unrelated.