If it seems as if WordPress is constantly under attack, it isn't your imagination. As the most common content-hosting application on the Internet, miscreants are always looking for ways to compromise WordPress websites and servers.
The latest, on-going attack is an attack bot aimed at gaining admin access to WordPress using "brute force" to discover the admin password. We have identified at least three such bot-nets, all active and pernicious, one of which is said to have over 90,000 zombie (attack) computers at their disposal.
This type of attack has been around since 2012 and we have been fending it off on a daily basis ever since then. Without further ado, here is an easy three -step process that is 100% effective against all of the brute-force botnets.
1. Activate "Limit Login Attempts" on the Edit/Update Details page in Installatron. While you're there activate automatic backups and updates.
If you did not install WordPress with Installatton, you can import your website into Installatron quickly and easily. This has the bonus effect of allowing you to automatically update your WordPress core code and plugins automatically.
2. Install and activate the "Rename WordPress Login" plugin. Choose any login URL on the configuration screen. The default is fine for protection against the brute-force bots.
You can find the plugin by logging into your WordPress admin and searching for "rename wordpress login" in the "Add New" page plugin page.
Step #3 is important to ensure the attack bot doesn't increase your resource use:
3. Edit your htaccess file (.htaccess in your website root folder -- you can download it or edit using your favorite FTP client) and add the following to the top of the file:
# Block brute force attacks against WordPress
ErrorDocument 403 "403"
<Files ~ "^wp-login.php">
Order allow,deny
Deny from all
Satisfy All
</Files>
# protect xmlrpc
# comment this out if you use JetPack
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
The "protect XML" code is a bonus -- it protects agasint xmlrpc attacks.
BONUS: Step 4.
If you're using "admin" as your WordPress admin user, add a new user and give it superadmin privileges. Then change the 'role' for admin to something below administrator -- "no role for this site" is fine. Finally ensure you use a secure password.