homepage Welcome to WebmasterWorld Guest from 54.166.84.82
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / WordPress
Forum Library, Charter, Moderators: lorax & rogerd

WordPress Forum

    
How to deal with endless bot hits on wp-login.php
MrSavage

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



 
Msg#: 4590158 posted 4:42 am on Jul 4, 2013 (gmt 0)

This isn't something new but it's endless. I've installed limit login attempts and other various login blockers. I've set those plugins to maximum lengths and bans. Pretty much across any server, on any site that I operate or look at. I've installed and used wordpress for ease of use. Editing htaccess files and messing around isn't what I signed on for.
Do people here just accept that their stats are junk and unreliable? That there is no realistic tracking of humans vs bots trying to hack wordpress? I'm not sure if I'm giving up, but even limit login attempts can't deal with all the IPs. Essentially it sucks like the rest of them. I would appreciate an opinions on this. People who criticize or even mock wordpress have good ground to do so.

 

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4590158 posted 7:18 am on Jul 4, 2013 (gmt 0)

I had to laugh when I saw the header. I don't even USE wordpress... and my logs are still bloated with robots asking for the nineteen most common variants of the wp login and/or admin directories.

:: detour to log archives to see what's new on the 403 front ::

2.135.216.154 - - [25/Jun/2013:01:43:17 -0700] "GET /wp-login.php HTTP/1.0" 403 2265 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
2.135.216.154 - - [25/Jun/2013:01:43:19 -0700] "GET /administrator/index.php HTTP/1.0" 403 2265 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
2.135.216.154 - - [25/Jun/2013:01:43:20 -0700] "GET /admin.php HTTP/1.0" 403 2265 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"

I don't know and don't care whether that's a blocked IP or if they just got the 403 by asking for a file in .php :)

Nutter

10+ Year Member



 
Msg#: 4590158 posted 7:20 pm on Jul 4, 2013 (gmt 0)

I stopped using stats programs that look at the raw stats like AWStats for pretty much that reason. Now I use a mix of Jetpack and Google Analytics. Jetpack for quick stuff and GA when I want to dig a bit deeper.

As far as hits on wp-login, I installed the limit login attempts plugin and let it do its thing. One thing I've noticed is that every single attempt that it flags as invalid is trying to login with the username admin. So, I make sure I'm not using that as a username.

not2easy

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



 
Msg#: 4590158 posted 9:03 pm on Jul 4, 2013 (gmt 0)

On sites I manage that do not have WP installed, I use wp-login.php as a ticket to the robot trap. Saves me a lot of trouble.

On sites that do have WP installed, I just block the IP ranges, seldom any visitors from those ranges that I want anyway.

I also make sure I have done everything possible to make my sites a difficult target: Keep everything up to date, be careful of the plugins you choose, always have a complete backup, rename the table prefixes, secure your config file, use passwords that won't be simple to guess and don't ever post under a login username. Make login usernames as difficult as the password and use Nicknames to post with.

If nothing else, this gives you more time to catch and block their attempts.

MrSavage

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



 
Msg#: 4590158 posted 12:29 am on Jul 5, 2013 (gmt 0)

I've installed Limit Login Attempts with the strictest of rules. Probably 500+ banned IPs and no end in sight. It's like holding water in your hand while the tap continues to run.

Blocked ip ranges but that's a true test of patience. Unless there are extreme situations, it's rather futile.

The conclusion may simply be that there is no way of dealing with it. I'm sticking with WP but in a lot of ways it brings on every bot and every low life. Sort of like when you think of flies taking to ----.

Nutter I think you have pretty much summed it up. Ditch the stat programs and accept that as a downside of using WP.

lorax

WebmasterWorld Administrator lorax us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4590158 posted 12:55 pm on Jul 5, 2013 (gmt 0)

I don't worry about the bot numbers. I am worried about access to my login and admin area so I block everyone but my IP.

Planet13

WebmasterWorld Senior Member planet13 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4590158 posted 8:31 pm on Jul 5, 2013 (gmt 0)

Just a quick question...

is it possible via .htaccess to block access to the WP login page for EVERYBODY if they don't arrive at that page via a link / redirect from another page?

maybe create a page called doorway.php on your site with a link to the login page and put a rule in htaccess that you can't access the wp login page if you don't come from that page first?

Anyway, don't know if this is possible or not.

MrSavage

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



 
Msg#: 4590158 posted 9:08 pm on Jul 5, 2013 (gmt 0)

@lorax, is that a "one and done" setup or is it ongoing when you update the wordpress version?

indyank

WebmasterWorld Senior Member



 
Msg#: 4590158 posted 5:00 pm on Jul 6, 2013 (gmt 0)

it is easy to retrict access to only your own ip...

The.htaccess file in your wp-admin folder should have this:

Order deny,allow
Deny from all
Allow from <your_id_address>

replace <your_id_address> with your actual ip address from where you would access the wordpress admin dashboard...

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4590158 posted 8:17 pm on Jul 6, 2013 (gmt 0)

is it possible via .htaccess to block access to the WP login page for EVERYBODY if they don't arrive at that page via a link / redirect from another page?

Most of the time, yes. Use either mod_rewrite or mod_setenvif to look at the referer. But it doesn't help with the 2% of users who simply don't send a referer. It also won't help if you have individual human users who choose to bookmark the login page itself.

lorax

WebmasterWorld Administrator lorax us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4590158 posted 1:01 am on Jul 8, 2013 (gmt 0)

@MrSavage,

Largely do it once and forget about it. The only issue is that unless you have a dedicated IP connection to the INet, your IP addy will change at some point. Then all you need to do is to update the IP addy in the htaccess files to the new IP and you're good to go.

FYI - I modify the htaccess file in the web root to lock down wp-login.php and another htaccess file in the wp-admin directory to lock that directory down. The block only affects http calls and not FTP so you can still edit and upload files.

Planet13

WebmasterWorld Senior Member planet13 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4590158 posted 4:13 pm on Jul 8, 2013 (gmt 0)

Thank You, Lucy24!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / WordPress
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved