WordPress Brute Force Attack Protection

Knowledgebase Article

WordPress Brute Force Attack Protection

What is a Brute Force Attack?

First, lets explain what exactly is a Brute Force attack. A Brute Force login attack is a type of attack against a website by guessing the username and password over and over again in order to gain access to the website backend. WordPress is the most popular web application and therefore, it is a frequent target of this type of attack.

Luckily, LiteSpeed has a built-in WordPress brute force attack protection system, which is very easy to activate.

How Brute Force protection works?

LiteSpeed has a built-in WordPress protection directive: WordPressProtect which limits the number of login attempts to your back-end. This diective can be activated on an individual site level via the .htaccess file.

Usage: WordPressProtect [off|on|drop|deny|throttle, ] <limit>

The limit can be set together with the action, and can have a value of 0, 1, or between 5 and 1000.

- 0 is the same as off - disables WordPress protection.

- 1 is used at the virtual-host level to indicate that the server-level settings should be honored.

- 5 - 1000 enables WordPress protection and also specifies the login limit (Values lower than 5 will be treated as 5 (with the exception of 0 and 1), and values higher than 1000 will be treated as 1000)

Examples:

- WordPressProtect drop, 10 - drops the connection after 10 login attemopts.

- WordPressProtect throttle, 20 - throttle the connection after 20 login attempts.

- WordPressProtect 12 - after 12 login attempts, take the preferred action.

The drop, deny and throttle parameters configure how the server react once the login limit has been reached. By default, the connection will be throttled, however you can choose to drop the connection directly without any response, or deny the connection with a 403 message.

The <limit> is the maximum number of login attempts allowed within 5 minutes before the desired action is taken.

How to enable the WordPressProtect directive

The directive can be enabled from your .htaccess file. You can access it directly through the File Manager in your cPanel, or by using an FTP program.

Please note that the '.' in front of htaccess makes it a hiffen file, so make sure you have the "View Hidden Files" option enabled in File Manager, or your FTP program.

Once you have located the file, you can enable the WordPressProtect directive and set the desired limit and action. To do this, add the following code in the beggining of the file:

<IfModule Litespeed> 
 
WordPressProtect throttle, 5 

</IfModule>

Insted of 'throttle' you can use another action (drop/deny) and set the desired limit of login attempts (5-1000).