How to protect yourself from password guessing from the site’s admin panel (brute force attack) Print

The goal of this attack is to obtain access data to the admin panel of your site by trying combinations of the administrator login and password. Constant requests to the admin panel to sort through combinations significantly increase the load.

Solution:
1) Connect additional authorization, for example using the .htaccess and .htpasswd files.
You need to create a file called ".htpasswd" in the root of the site directory and use a special tool to generate its contents, indicating the desired login and password.

For Joomla, add the following lines to the ".htaccess" file in the /administrator/ folder:

AuthName "Access Denied"

AuthType Basic

AuthUserFile full_path_to_site_root/.htpasswd

requirevalid-user

For WordPress, add the following lines to the ".htaccess" file in the root directory of the site:

AuthUserFile.htpasswd

AuthName "Private access"

AuthType Basic

<FilesMatch "wp-login.php">

Requirevalid-user

</FilesMatch>

where "full_path_to_site_root" is the absolute path from the root of the file system.

2) Change the default address of the admin panel of your site.
3) Restrict access to the site’s admin panel by IP address.

General recommendations:

1. Update your CMS to the latest version.
As a rule, CMS developers are constantly trying to further optimize the operation of scripts in new versions.

2. Use caching plugins.
As a result, you will not only get faster loading of site pages, but also a reduction in load.

3. We recommend connecting one of these extensions: XCache, APC, OPCache.
This will help reduce the execution time of PHP scripts and, accordingly, reduce the load.

4. Protect feedback forms using CAPTCHA.
This will help you both avoid mass mailings and protect your database from being filled with unnecessary information, and accordingly from increasing in volume.

5. Delete old entries such as comments, etc. from the database.
This will help reduce the size of the database and, accordingly, reduce the query time to it.

6. For WordPress sites, disable redirects when requesting content inside the wp-content/ directory.
Since when CNC is enabled, notifications about non-existent content are processed by WordPress itself, and not the server, these requests may cause increased load. To resolve this issue, you can either disable the CNC or disable the processing of such notifications for the wp-content/ directory. If you do not intend to disable the CNC, then you need to write this rule in the .htaccess file, which is located in the root of the wp-content/ directory:

RewriteEngineOff