How To Protect A WordPress Site Running Behind Nginx Server From Brute Force Attack
In recent times, bots have become a menace for WordPress sites. It have become absolutely critical to protect and safeguard these sites from brute force attack of automated bots. In this article we can see how to protect a WordPress site running behind Nginx server from brute force attack.
What is brute force attack ?
It’s a trail and error method to gain access into a system by logging in with probable usernames and random passwords. This is a time consuming approach and usually done through automated bots. In WordPress, with default settings, certain things like login url and login name are easy to figure out. The only remaining item that is required is the password and this is also one reason for common brute force attacks in WordPress sites.
First thing first
Before moving to Ngnix, let’s be sure that we have done the basics right by following the bellow security checks.
1. Have a strong password with mix of special characters and numbers with at least 10 characters length.
2. Do not use “site name” or “admin” as user name.
3. Block user registration if it’s not required.
4. If User Registration is required, enable Google re-captcha for registration.
5. Change “wp-login” url to something else.
6. Enable Two factor Authentication for logging in into site. This can be enabled with Two Factor or Word Fence Login Security Plugins
7. Install a WordPress security plugin to validate and protect the site.
8. Disable Rest API for anonymous users
9. Disable XML RPC
10. Lock down site for IP Address or Username for too many login attempts
Security Plugin
A huge number of security plugins are available for WordPress and selecting a best out of the others would be a herculean task. Word Fence and All In One WP Security & Firewall are some of the popular free plugins available to secure WordPress site. I personally prefer All In One WP Security & Firewall for its wide variety of features. Majority of the items that I have mentioned in the “First Thing First” is possible in AIOWP (All In One WP Security & Firewall) Security plugin.
Protecting login URL
Changing the login url or protecting the login url is much easier with AIOWP Plugin. Changing the the login URL may be bit risky as it may be referred by certain site back-up & restore plugins. Instead, I would suggest to protect the login URL from un-authorised access. This is possible by setting a cookie based URL access through AIOWP plugin.
Under “WP Security” menu, select “Brute Force” and navigate to “Cookie Based Brute Force Login Prevention” tab. Select “Enable Brute Force Attack Prevention” and provide a secret name for the query string. In the below example I have provided the secret word as “mysecreturl” so the login url would be http://mysite/?mysecreturl=1
If you are running your WordPress site on a Nginx server, the above settings alone is not sufficient. Although the above settings adds the bellow segment in .httaccess file of your site, this may not have an effect if appropriate changes are not done in Nginx config file.
#AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_START
RewriteEngine On
RewriteCond %{REQUEST_URI} (wp-admin|wp-login)
RewriteCond %{REQUEST_URI} !(wp-admin/admin-ajax.php)
RewriteCond %{HTTP_COOKIE} !mysecreturl= [NC]
RewriteCond %{HTTP_COOKIE} !aiowps_cookie_test_mw778i4qrv= [NC]
RewriteRule .* http://127.0.0.1 [L]
#AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_ENDNginx Settings
In addition to the standard location block that handles the php requests, this additional inner location block checks for the availability of Cookie with name “mysecreturl”. If the Cookie is preset, the user would be redirected to wp-login page else the Nginx server will stop the connection and returns HTTP Error code 444.
location ~ .php$ {
include snippets/fastcgi-php.conf;
location ~* (wp-login|wp-admin).php$ {
if ($http_cookie !~* "mysecreturl") {
return 444;
}
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
Making this changes will reduce the login attempts by automated bots to zero. In the subsequent blog post, let us see some of the security settings of Nginx that is relevant for any web application.
Leave a comment