How to Discourage Brute Force by Blocking Author Scans in WordPress
A common technique used by hackers to gain unauthorized access to websites is called ‘Brute Force’. Using this technique, hackers use software designed to scan a website for vulnerabilities and gain access by exploiting any of them. One common entry point that these brute force bots try to exploit is by running an author scans. In this article, we will show you how to discourage brute force by blocking author scans in WordPress.
First lets understand what these brute force attempts are trying to do. At first they try to find a username on your blog or the author id. Often username used to sign into WordPress and the author name are the same. Once they find a username, then this solves 50% of the puzzle. Now they brute force your site to crack the password by trying various different password combinations.
To block author scanning on your website, simply add this code in .htaccess
file in WordPress root directory.
# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans
This will block bots from running author scans on your website. Your website users can still access the author pages, but bots will not be able to do so.
We hope that you found this tip useful.