Wordpress account brute-force cracking Protection

Wordpress account brute-force cracking Protection

I. Modify the database table prefix

The default table prefix is wp _. If you have not modified the table prefix when installing the blog, you can refer to this article to modify the table prefix.

After the logon test is completed, if the system prompts "you do not have sufficient permissions to access this page" after the logon is successful, the prefix is not completely modified. Refer to this article to search for the remaining ones, then you can manually modify them one by one.

Ii. Remove wordpress features

Add the following code at the end of the functions. php file of the current topic (wp-contents/themes/xxx) to remove the WordPress version information, reducing the probability of feature extraction.

remove_action( 'wp_head', 'wp_generator');

3. Modify the Default User Name admin

The Default User name should not be admin. You can use an SQL statement to modify the admin user name:

UPDATE xxx_users SET user_login = 'username' WHERE user_login = 'admin';

Replace xxx in xxx_users with the prefix changed in step 1.

4. Protect wp-login.php

Add the following code to the functions. php file of the current topic:

add_action('login_enqueue_scripts','login_protection');function login_protection(){if($_GET['key'] !='pass')header('Location: /404.html');}

In this way, the only address for background login is http: // hostname/wp-login.php? Key = pass. If this address is not used, the 404.html page is automatically displayed.

We recommend that you change the above key pass to another string, such as wp-login.php? Zheshihoutaidizhi=hehehehehehehhhh,404.html can also be exchanged for the website home address http://blog.b1uew01f.net/http to bring.

At this time, because the access to/wp-admin/is directed to wp-login.php, after the modification, it will be redirected to the 404.html page again, which may also cause some confusion.

V. Host Security reinforcement

Wordpress blog is only a web application in the host. If the host security is not completed, it is easy to be attacked. Below are some articles I wrote about Configuring Secure linux servers, the core idea is to change the default service port and add a firewall to determine whether the service is vulnerable to brute force attacks.