The bruteforce attacks against WordPress and Joomla login pages - as written here already: https://www.helpburo.eu/index.php?/News/NewsItem/View/67/massale-brute-force-pogingen-op-wordpress-sites - are getting worse all over the internet, not only on your server.
The problem is, that the attacks are coming from thousands of IPs in parallel, which even overloads those plug-ins. There exists currently only one solution:
1) Joomla installations
Use Plesk or DirectAdmin frontend to password-protect the directory /administrator of the Joomla installation
2) WordPress installations
For WordPress, we must password-protect the access to the file wp-login.php, as this one is opened directly by the attackers. This must be done manually:
a) create a .htpasswd file, either manually on the server or with an online tool like http://www.htaccesstools.com/htpasswd-generator/
b) place the .htpasswd file in the base directory of your WordPress installation
c) create in the base directory of your WordPress installation a .htaccess file with the following lines - if already a .htaccess file exists, add those lines to the absolute top of the file:
# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Deny from all
# Protect wp-login
AuthName "Private access"
require user XXXXX
- replace the XXXXX with the username you used in the .htpasswd file.
- replace /YYYYY with the full path to your hosting directory, eg:
/var/www/vhosts/testdomain.nl/httpdocs/.htpasswd (Plesk style)
/home/user/domains/testdomain.nl/public_html/.htpasswd (DirectAdmin style)
For server owners:
THIS MUST BE DONE FOR ALL WORDPRESS OR JOOMLA INSTALLATIONS ON THE SERVER!