Protect your WordPress site against bad bots

When talking about self-hosting your WordPress, it will allow you to set up and run your site with a greater deal of freedom. But that freedom has a cost; you must ensure your site is protected. Additionally, you will have to protect your site from hackers, comment spam, and from brute force attacks. Some of you may have already noticed bad bots looking for themes and plugins on your website. And they are looking for weak spots to exploit your site. Or else you may have not noticed them or you are just lucky because your website is behind a web application firewall. Whatever that is you must consider doing everything in order to protect your WordPress site.

Why do you have to protect your WordPress site?

The following are several possibilities on how your website gets hacked.

• Brute force attacks on your login page – these bots are attempting different logins and passwords to enter your website
• Comment spam – these evil bots are trying to post spam comments. They can post comments for posts with disabled comment posting even!
• Sniffing for unsafe themes and plugins – this particular bot is trying to enter miscellaneous files on your website
• Indexing your blog – This keeps checking all your pages just like the Google bot. And these bots are usually operated to collect your data/content for statistics, link profiles likewise.

All the above attacks will produce a higher load on your web server, unlike your regular visitors. The PHP code which is executed for every page view uses up memory (RAM). That will be the main problem. As each and every web server has limited memory, bad bots can max out the server memory in a few minutes. Without your knowledge, your site will be down including every other site on that server. So you have to restrict the number of requests on PHP files and to keep the evil bots away from your website.

Try installing WP Super Cache and use mod_rewrite for file caching

This is the simplest way to limit down the execution of PHP scripts. A cache plugin will create a copy for every requested page or post. And also gives a cached file without creating a whole page again. According to my personal experience, WP Super Cache is a good option. Because it’s a well-maintained WordPress plugin with easy installation.
Once you enter the WP Super Cache settings page, look for caching options in the Advanced tab. There will be three options; mod_rewrite, PHP, and legacy caching. PHP option is not a good choice because a PHP code is involved when a file cache is created or requested. I would recommend the mod_rewrite option as no PHP code will be necessary after the file cache is created.

Keep the evil bots away

A web application firewall will be helpful to chase the bad bots. An example of such a firewall is the 5G Blacklist. It provides some smart rules to copy/paste into the .htaccess file of your website. That particular rule will detect and block the bad bots according to their user-agent name or malicious query strings and URL slugs. Even though it doesn’t offer full protection, useful to a certain extent. If you are going to use the 5G Blacklist along with WP Super Cache and mod_write for file caching, first disable this rule:

RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\|)

Or else, it will lead to a 403 error for every subpage.
Using the AVH First Defense Against Spam (A WordPress plugin) is also a method to chase those evil bots. The particular plugin is also capable of blocking bad bots before they touch your website apart from fighting against spam. AVH uses the IP blacklists from Stop Forum Spam, Spamhaus, and Project Honey Pot. Additionally, you need to have two API keys which are freely available for Stop Forum Spam and Honey Pot.

Protect your site from Brute Force Attacks

The login page is a PHP script that requires memory for the execution. In order to protect my site, I am using Protect; a JetPack module. It is a plugin that also utilizes on a cloud-based blacklist.
Although many CAPTCHA or JavaScript-based plugins allow access to the PHP login script, Brute protect will block a bot even before most of the PHP codes are executed.

Hide the wp-login.php page and wp-admin directory

The other effective method will be the WP Cerber plugin. You can change the WordPress login URL while using this plugin. And also most importantly this plugin can hide the wp-admin directory. If the non-standard login URL doesn’t work, the IP address will be blocked after a couple of hacking attempts. So I will recommend this plugin if your website has a known group of users.

Just show a 404 – NOT FOUND error using .htaccess

Because of a general mod_rewrite rule which is present in every WordPress installation, the last protection for your WordPress site is crucial. That is about the following mod_rewrite conditions in your .htaccess file, created by WordPress if you have set up SEO friendly permalinks.

# condition to check if a file doesn't exists
RewriteCond %{REQUEST_FILENAME} !-f
# condition to check if a directory doesn't exists
RewriteCond %{REQUEST_FILENAME} !-d

These rules don’t check if a requested file belongs to a post or pages. Similarly, if an evil bot is sniffing on your site for some sort of files, and the files don’t exist, WordPress will show a nice 404 page. This page doesn’t contain a file cache and needs all the database queries and PHP code. Think about what will happen if a bot is attempting to enter 100 missing files in a single minute. How much amount of memory!!

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_URI} \.(jpg|jpeg|png|gif|bmp|ico|css|js|swf|htm|html|txt|php)$ [NC]
	RewriteRule .* - [R=404]
</IfModule>

Therefore, I recommend you to use the following rules in my .htaccess file to avoid 404 pages in the future. Just paste the below code above the default code from WordPress.
This solution won’t help all of you. But it’s always worth trying. According to my experience, I think it will be better to entirely block the evil bots. Usually, it is not possible, as the IP address of each bot should be blacklisted before filtering.
Finally, I would suggest you check the log files frequently and take action if there is something abnormal. Have a nice day! 🙂 

Frequently Asked Questions