Keep WordPress Safe From Brute Force Attacks with Fail2ban

Security plugins for WordPress are very popular these days, I bet you have a list of must-have security plugins on your WordPress sites.

Among all the common security issues related to WordPress, I personally hate brute force attacks most, which cost one of my clients’ sites down and a painful customer service experience. So last year when I started some new WordPress sites on a Media Temple VPS hosting, I chose to use Fail2ban to deal with such attacks.

Read more

Set Up Gandi Standard SSL Certificate on Nginx

If you register a domain name on Gandi.net, you’ll get a free Standard SSL certificate from them for a year. The best part is you don’t have to apply for the SSL certificate right away, you can apply it anytime during the first year of your domain name registration.

So yesterday when I realized 1fix.io (which is registered with them) will be renewed in about a month, it just came to me I haven’t got a SSL certificate for my site, and now it’s about time.

The process is easy, you just log into your Gandi account, purchase a Standard SSL certificate, when checkout, the amount will be discounted to 0 if you haven’t purchased one for your domain. That means the first year (starts from the day you purchase the SSL, not the domain) will be free, and $16 per year thereafter.

Basically I followed all steps from Julien’s post: Nginx #1: Set up Gandi Standard SSL Certificate, even I was pretty sure that I got everything right, I still can’t get the SSL work with Firefox, it took me hours to find the solution.

Read more

Lessons learned after brute force attacks

Few days ago one of my sites got brute force attacked. The site is hosted on a shared server, and the webhosting shut my site down for consuming too much resources. After that I decided to dig into this issue a little deeper, so I started a discussion on a LinkedIn Group called “WordPress Developers.”

My question is: “My site got brute force attacked. Anyone had the same experiences, would you please share how your hosting company dealt with it? Any suggestions on preventing DDOS or brute force attacks, or hosting recommendation are welcome!”

Read more

Brute force attacks on a shared hosting

Last night I got an email from my hosting company, they shut down one of my WordPress site for it was brute force attacked on login page. The support guy asked me if I could recognize the source IP, and sent a Google search results link about how to solve the problem, that means I have to solve the problem by myself.

I’m pretty upset when I got this email, but still tried to block the IP in the .htaccess file. I found the hosting company changed the file privileges so I couldn’t update the .htaccess. The only thing I could do is replied the email and called their EMERGENCY service number, which was answered by an answering machine, asked them how could I do any fix if I couldn’t edit the .htaccess file.

Read more