Mitigating wp-login brute force attacks on Wordpress with Cloudflare

Steven Johns

2 min read
Share
Mitigating wp-login brute force attacks on Wordpress with Cloudflare

I can't speak any better than I already do about Cloudflare. Not only does it offer things like one-button https support, and not only does it act as a free CDN which performs as well as some of the paid options, but it's also a no-fuss DNS host where modifications to the DNS take minutes or even seconds -- not hours before they're applied. But I'm here to talk about how you can use Cloudflare to protect your Wordpress install against brute force attacks.

I've been wrestling with my server for the last couple of weeks. Prince Ea's website has been the victim of a somewhat sophisticated brute force attack. Not only does the IP change for each and every single attempt, but it also paces itself so that it doesn't trigger anything I've set in fail2ban. My first goal was to prevent it from actually brute forcing: although I'm certain that it will never crack the login details without some sort of 0-day, attempting to log into the server thousands of times was straining the hell out of it. To mitigate this I moved the Wordpress login page to a different URL in the hope that if the GET and POST commands fail for the spammer, there would be some sort of failsafe in the script which would make it stop. It didn't.

Onto attempt number two: I noticed that it maintains the same UA string for the upper majority of every attempt, so I decided to block it from accessing wp-login.php through Apache's .htaccess for the site. Surely if it's getting 301 or 404 it would stop, right? Wrong. It didn't care. It just kept going on and on and on for days upon days.

I didn't want to set the site to Cloudflare's I'm Under Attack! mode, which has Cloudflare vet every incoming connection, but I did set the security level to High and that managed to mitigate some degree of the traffic. If I owned a more powerful server then that probably would have been enough, but I'm working with a low end VPS that only has a gig of memory and is hosting 10 or so different sites, as well as an IRC bouncer, so resources were strained enough as it is.

But then I thought about it again, and came up with the solution: using Cloudflare's Page Rules configuration, I could set it so that only wp-login.php - what the attackers were trying to brute force - is placed in the I'm Under Attack mode. The process is fairly simple:

  1. Go to Cloudflare, login, and select your wordpress site(s).
  2. Click on the Page Rules menu item.

In the URL pattern textbox, write the following:

http://*domain.com/wp-login.php*

Where domain.com is the domain of your Wordpress installation. If your Wordpress install is in a sub-directory, then add the sub-directory as well.

  1. Go to the Security Level option, and select I'm Under Attack.
  2. Repeat step 3 and 4 for the URL http://*domain.com/wp-admin*

With that, you should now start seeing a five-second vetting page every time you try to access your Wordpress installation's wp-login.php and wp-admin. You can test to make sure that it's working by going to your wp-login.php page.

Cloudflare should now catch 99.99% of any brute force attempts, but - as always - you should still ensure that you have a strong username (no "root", "admin" or "r00t" etc.) and a strong password to compliment it.