the Wild Wild West continuous — maintaining my WordPress blog
Brute force attack is so common on WordPress sites. Let’s deal with it.
You can tell from this access log, someone is trying to brute force my admin account password. Beside that, everything time this ‘visit’ comes, WordPress calls its wp-cron.php.
I Googled wp-cron.php. It’s a task runner function that helps setup and run your scheduled mundane tasks.
First, event driven task runners are great things, but triggered by every HTTP requests? Hmm.
( The more I learn about WP, the more I finds out all the functions and DB calls back and forward by WP on every requests.)
Second, I don’t need it, for now.
So, let’s deal with the brute force, then disable wp-cron.php.
Reduce brute force attacks with ReCapcha
I’m very satisfy with ReCaptcha within my portfolio email form. Let’s reuse it here. Thanks to WordPress impressive community, a well written plugin is already there: WordPress ReCaptcha Integration. Just a few clicks and it’s working for my admin login page, the beauty of WordPress really. Let’s see if it’s enough to discourage the attacks.
Add two lines of code to wp-config.php in your site’s root directory.
/** Disable wp-cron.php */ define('DISABLE_WP_CRON', 'true');