WordPress/Joomla/Magento bruteforce server-wide protection with reCAPTCHA

By | April 10, 2016

A common way to protect the WordPress wp-admin, Joomla administrator and Magento admin/downloader directories against (automated) bruteforce password attacks is to password protect both directories with Basic Authentication. Webhosting companies could do this on a server-wide base through an Apache configuration that matches all wp-login.php and administrator requests. If a bot, or user, accessed the wp-admin (WordPress) or administrator (Joomla) page he was first forced to login. The bot would fail and never access the real WordPress or Joomla login, the user can successfully login with the username and password that was provided in the “AuthName” configuration. After authenticating the user was given access to his WordPress or Joomla login page during his browser session.




In March 2016 Google updated their Google Chrome browser and one of the new features was to hide the text in the AuthName configuration, meaning the needed login details for the additional login were not shown to visitors anymore, so our customers got confused as they didn’t know how to logon. It was time to develop a new, smarter and even easier, method of protecting the WordPress and Joomla login pages from bruteforce attacks while preventing bots to be able to bruteforce attack the loginpages. Disadvantages of the Basic Authentication are the need to login each time you access your site backend and the lack of information we can give the user about the additional login, two disadvantages that had to be avoided in our new solution.

Our new solution is based on Google’s reCAPTCHA. When an user (or bot) navigates to his/her WordPress/Joomla/Magento administrator page our Apache config does a lookup to see if the IP address of the visitor is in the allowed list. If the IP address is present, Apache actually does nothing and serves the requested page as it always does. If the IP address is not present the user (or bot) is redirected to a different page that is hosting a reCAPTCHA authentication. If the visitor is able to prove he is an human his IP address and the current datetime are saved to a mySQL database and the visitor is redirected to a page telling him he has successfully proved being a human and he has to wait 60 seconds to let the systems synchronize. In the meantime all “human” IP addresses that have authenticated within the last three months are exported to all webservers. This way all authenticated IP addresses can access all WordPress or Joomla sites on all webservers (connected to this system) without further authentication for the period of three months. When the three months are ended the user has to reprove that his IP address is used by an human.





Each webserver has the following relevant Apache configuration. As an additional bonus protection all POST requests to wp-login.php/admin-post/xmlrpc without referer are being denied, as normal logins always contain a referer. How you maintain your allowed list is up to you (we don’t provide the technique, but how we use it has been written above).


The RewriteMap file has to following syntax:


Advantages of this kind of protection:

  • Users have to authenticate once per three months.
  • Users do not have to login, checking the reCAPTCHA box is enough.
  • The protection is not website dependent, once authenticated the user can visit all WordPress, Joomla or Magento backends and login on WordPress, Joomla or Magento like he used to do.


Leave a Reply

Your email address will not be published. Required fields are marked *