Bruteforce attack

[MrMedia]

Getting hammered with bruteforce attempts on my WP brand site.

Bruteprotect plugin has been suggested by the server IT guy - anyone deal with this issue before or have any recommendations?

 

[jakesnke]

Whitelist any IPs you have of VAs, authors etc that are out of the US, then have you IT guy block all IPs outside of us to the /wp-admin and /wp-login page.

Use a plugin (maybe brute protect?) to limit log in attempts to 1 or 2 tries per IP, and then lock out the IP for the maximum time available - just make sure you dont lock yourself out.

 

[MrMedia]

Nice one man thats a cool idea so I will go ahead and get it done.

 

[Ryuzaki]

Yeah, just go into your .htaccess and add the following:

# prevent viewing of a specific file
<files wp-login.php>
order deny,allow
deny from all
allow from YOUR IP ADDRESS
allow from YOUR VA'S IP ADDRESS
</files>

Should dry it right on up. All of those "after 3 attempts ban the IP" plugins are goofy. NOBODY should be on your WP-login but the chosen few.

 

[MrMedia]

thanks guys! doing right now, appreciate it.

 

[Frequencies]

I use this in the admin folder:

# Limit logins and admin by IP
<Limit GET POST PUT>
order deny,allow
deny from all
allow from my ip
allow from my ip
</Limit>
Would this work well enough?

 

[Stephen]

Would not using something like CloudFlare help here?

 

[Frequencies]

Today I received more than 200 messages coming from the contact form.
All those message where sent in 2 minutes, with code as subject.

What can I do to be 'sure' nothing will be hacked, without using a plugin?