Wordpress account brute-force cracking Protection

Source: Internet
Author: User
Tags wordpress blog wordpress version

Wordpress account brute-force cracking Protection

I. Modify the database table prefix

The default table prefix is wp _. If you have not modified the table prefix when installing the blog, you can refer to this article to modify the table prefix.

After the logon test is completed, if the system prompts "you do not have sufficient permissions to access this page" after the logon is successful, the prefix is not completely modified. Refer to this article to search for the remaining ones, then you can manually modify them one by one.

Ii. Remove wordpress features

Add the following code at the end of the functions. php file of the current topic (wp-contents/themes/xxx) to remove the WordPress version information, reducing the probability of feature extraction.

remove_action( 'wp_head', 'wp_generator');

3. Modify the Default User Name admin

The Default User name should not be admin. You can use an SQL statement to modify the admin user name:

UPDATE xxx_users SET user_login = 'username' WHERE user_login = 'admin';

Replace xxx in xxx_users with the prefix changed in step 1.

4. Protect wp-login.php

Add the following code to the functions. php file of the current topic:

add_action('login_enqueue_scripts','login_protection');function login_protection(){if($_GET['key'] !='pass')header('Location: /404.html');}

In this way, the only address for background login is http: // hostname/wp-login.php? Key = pass. If this address is not used, the 404.html page is automatically displayed.

We recommend that you change the above key pass to another string, such as wp-login.php? Zheshihoutaidizhi=hehehehehehehhhh,404.html can also be exchanged for the website home address http://blog.b1uew01f.net/http to bring.

At this time, because the access to/wp-admin/is directed to wp-login.php, after the modification, it will be redirected to the 404.html page again, which may also cause some confusion.

V. Host Security reinforcement

Wordpress blog is only a web application in the host. If the host security is not completed, it is easy to be attacked. Below are some articles I wrote about Configuring Secure linux servers, the core idea is to change the default service port and add a firewall to determine whether the service is vulnerable to brute force attacks.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.