Under attack by Brute force login bots


My website is under attack by bots which are trying to login via random emails and password and getting blocked by Wordfence plugin however the issue is that they are coming up with new IP address and I am getting like 100 requests in 1 minute which is slowing my website down since the resource usage is getting too high!
The target URL for bots is mywebsite.com/my-account
I would like to know the firewall rules that I can set up on Cloudflare to block such requests before reaching to my website. Is there any possible rule which can block these bots?

Well, assuming you have unlikely usernames, particularly for admin, on the site…

With WordFence set it to block the IP for a while, on the first attempt to login to a non-existant username.

The bots are definitely getting their IP address banned however it is not stopping the attack, they are coming in from new IP address of different countries and trying to login via some weird usernames or emails which does not even exist on my website.

This is the result of the brute force attack and I am frequently getting error - “Error: Accessing database”

I just purchase rate limiter through Cloudflare and applied the below rule:

And I am amazed to know that within 20 mins, it has blocked around 1.6k visitors/bots:

But the real issue is that even after having the Rate Limiter, the bots are still coming to my site and consuming a ■■■■ lot of resources due to which the website is facing a lot of issues in terms of loading/ database connectivity. What else can I do at my end to resolve this?
Do you suggest any changes to the rules or any addition of firewall rules which might help me here?

Can I do this with firewall rules?

  1. Check for cookie
  2. If cookie doesn’t exist, redirect to other URL
  3. That URL sets a cookie then redirects back to /my-account/
  4. If it’s their 2nd time on /my-account/ and still no cookie set, redirect them to download the biggest file I could find?
    If that’s doable via firewall rules, request you to give me the steps for doing so.

Is your website login only used by yourself? You can lock the login page to a specific IP, ASN or country, for example.

I understand that but it’s an eCommerce website and used by clients so don’t that I will able to do that.

Can you try challenging all requests to your login page? Create a Firewall Rule that matches on your login page URL and set the action to “JS Challenge” or “Challenge”.

1 Like

Yea, that sounds like a plan! Will give it a try!

This topic was automatically closed after 30 days. New replies are no longer allowed.