If there is “Error connecting to database” error, and the access.log file is huge (several GB), and there are many “POST /xmlrpc.php” or “POST /wp-login.php” in it, it’s brute force attack.

How to stop it?

I. Use password to protect wp-login.php

1. Generate file ./htpasswd, e.g. use http://www.htaccesstools.com/htpasswd-generator/, put it in folder (e.g. /var/www)
Note: could use the following command to generate random password first

openssl rand -base64 6

2. Add the following code in .htaccess under where the wp-login.php is (usually the root folder of WordPress installation)

# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

# Protect wp-login
<Files wp-login.php>
AuthUserFile [ABSOLUTE PATH]/.htpasswd
AuthName "Private access"
AuthType Basic
require user USERNAME-SET-IN-HTPASSWD
</Files>

Reference: Brute Force Attacks on WordPress.org

II. Stop access to xmlrpc.php

If xmlrpc is not used, just block access to it. In .htaccess file, add

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Leave a Reply

Your email address will not be published. Required fields are marked *