Menu

RTCXpression

Close

WordPress Login Security with Nginx and the Jetpack Plugin

- August 15, 2016

login security There are dozens of plugins that are supposed to offer WordPress login security. Most of them are obsolete. The “Protect” module in the Jetpack plugin is the best of the bunch, specifically designed to stop brute force login attempts.

Nginx can augment the login security the Jetpack plugin offers, but only for people who have access to the configuration files. The instructions I’m offering only pertain to you if you’re one of those people.

WordPress Login Security and the Jetpack Protect Module

The Protect module started as an independent service. It blocked more than a hundred million attacks across more than 100,000 websites before it was acquired by Automattic in August of 2014. The way it works is if any single IP has too many failed attempts in a short period, it’s blocked from logging in to any website with the same module activated.

Since it’s possible to accidentally block yourself, especially when you have Internet connection issues, you have to white list your IP address (or addresses) in the module. You probably don’t have a static IP address, so putting in the subnet that covers your IP address is a good idea.

While this module will protect your from brute force login attempts, it won’t stop someone from trying once an hour for days at a time. Some hackers have nothing but time on their hands.

WordPress Login Security and Nginx

With Nginx, you can restrict the login page and the admin area itself to the same subnet. You can do it with the Nginx geo module and a few lines of code in the main configuration file (nginx.conf) and then a few lines in your virtual host (“server”) configuration file. See my article on an application firewall to see the code.

That code won’t stop someone from trying once an hour for days at a time either. What they will do is narrow the places the attacks can come from.




You can’t use that Nginx code if your website allows registrations and logins from anywhere in the world, but there’s some other code you can use with the Nginx limit request module. Use this in your main configuration file:

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

Use this corresponding code in your virtual host configuration file:

location = /wp-login.php {
    limit_req zone=one burst=1 nodelay;
}

What this does is keep anyone from trying to login more than once per second. Some bots will do that and so will stuck keys.

WordPress Login Security and non-WordPress Websites

The Jetpack Protect module may or may not be ported to other platforms. The Nginx modules work with all of them. Only the admin area directory and login page names differ.

Share:

Facebook Twitter Google+

Subscribe:

E-Mail, RSS Feed

Categories:

Technology

Previous and Next Articles:

« »

Comments:

Your comment will appear below the form when it's approved. When the page redisplays after hitting the send button (it can take a few seconds), your comment has been sent.

When replying to someone else's comment, please start the comment with "@" and the name so I can put it in the right place.

Please read some of my more important pages if you have the time:

Comments Policy           Privacy Policy

RTCXpression established Feb 28, 2011
Copyright © 2013-2017 RT Cunningham
Hosted at Digital Ocean