homepage Welcome to WebmasterWorld Guest from 54.166.65.9
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / WordPress
Forum Library, Charter, Moderators: lorax & rogerd

WordPress Forum

Featured Home Page Discussion

This 49 message thread spans 2 pages: 49 ( [1] 2 > >     
What's The Best Way To Deal With Blunt Force Attacks On Login Screen
Planet13




msg:4696836
 6:52 pm on Aug 20, 2014 (gmt 0)

Hi all:

The wordpress login page is - according to my log stats - the most popular page on my site. I am pretty sure that it is blunt force attacks trying to hack my site.


While I am not too worried about them actually hacking my site, since I have a strong password, I am concerned that I KEEP GOING OVER MY BANDWIDTH LIMIT set by my host.

Do you have recommendations on how to deal with this?

Again, my MAIN concern is my bandwidth usage first, then actual security second.

Also, it appears that the wordpress comments page is being attacked as well, so I would like to deter those attacks, too. I don't get many spam comments because of the captcha plugin I use, but again, I don't want all my bandwidth used up by these attacks.

BTW: I just installed the wordfence plugin yesterday. Haven't really had a chance to see if the failed login attempts lockout feature will be affective or not. There doesn't seem to be any sort of lock out for comments, though.

 

not2easy




msg:4696841
 7:07 pm on Aug 20, 2014 (gmt 0)

Lockouts can be done without a plugin. They do require a little work, if you can view your access logs and keep track of the offending IPs and then do some whois lookups to find the CIDR to block.

These are almost always NOT humans doing the login attempts, usually they are robots programmed to try every possible combination until they do break through. It is important to have a strong password and just as important not to allow malicious bots to keep knocking at the door - both for bandwidth and security.

There is plenty of information here in the Forums, the search link can help you find more details about blocking bots in .htaccess.

Planet13




msg:4696882
 11:31 pm on Aug 20, 2014 (gmt 0)

Well, I tried searching and read through several posts.

the two main workarounds are either:

allow access to a specific IP address (if your IP address doesn't change and you only access from one location),

or,

Use an htaccess file so that it checks that no one is accessing the page directly but is instead coming from a redirect.

The thing is, the code I am trying for the second solution isn't working. I am trying this:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?mywebsite\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

I thought this would block anyone from going to the mydomain.com//wp-admin/wp-login.php page directly. I thought it would require me to go to JUST mydomain.com/wp-admin/

But I can still access the admin login when I type in the address directly.

I have this in a .htaccess file in the wp-admin folder.

Any suggestions?

Thanks in advance.

Hoople




msg:4696891
 12:02 am on Aug 21, 2014 (gmt 0)

I used a plugin to harvest the bot's Ip's and added them to an htaccess file. As more showed up I expanded the ranges to encompass those in the same CIDR range. Lather, rinse repeat. With the IP's blocked the bandwith they used dropped too.

Planet13




msg:4696892
 12:08 am on Aug 21, 2014 (gmt 0)

Can you tell me which plugin you used?

I am trying wordfence but it says that no ip addresses were captured

Also, can you share your .htacess file (or at least let me know what code I would need to add?)

Thanks in advance.

Planet13




msg:4696899
 12:19 am on Aug 21, 2014 (gmt 0)

Or let me ask this:

What if I wanted the wp-admin pages accessed ONLY if someone went through a hidden page first?

So I would create a hidden page called:

hidden.php

and put a 301 redirect via php to:

wp-login.php

So I would like the .htaccess to reject anyone who didn't type mydomain/hidden.php into their browser.

Is that doable, and if so, would it break any functionality of different plugins or anything like that?

Kendo




msg:4696902
 12:30 am on Aug 21, 2014 (gmt 0)

I am surprised that there is not already an option for this, or at least a plugin...

After n number of unsuccessful attempts by either IP/sessionID then the page redirects to a bye-bye come another day when you can get it right page.

[edited by: Kendo at 12:31 am (utc) on Aug 21, 2014]

Planet13




msg:4696903
 12:31 am on Aug 21, 2014 (gmt 0)

Also forgot to mention that my blog is in a directory called /blog/ (instead of being in the root domain).

So do I have to change these lines in the .htaccess file?

RewriteCond %{HTTP_REFERER} !^http://(.*)?mywebsite\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

Man, htaccess is freaking killing me.

Hoople




msg:4696905
 12:31 am on Aug 21, 2014 (gmt 0)

Can you tell me which plugin you used?

Limit Login Attempts https://wordpress.org/plugins/limit-login-attempts/

As to the htaccess file - at some point I took the hint from here and began looking up netblocks of the countries where most attacks originate. As the customer's funds exchange occurs in the USA my blocking offshore countries has no effect on their fund raising. My resulting blocks ended up often encompaging large ranges.

Dropped SPAM attacks a bit too <G>

Planet13




msg:4696909
 12:46 am on Aug 21, 2014 (gmt 0)

Thanks Hoople:

i will try out that plugin, although there is a warning that it hasn't been updated in two years.

not2easy




msg:4696910
 12:47 am on Aug 21, 2014 (gmt 0)

@Planet13 - that htaccess code can't do much for you where it is. But if it was in the root directory, it could block you too.

BTW, a post just went up that gives instructions for an easy way that can help you see what is using the bandwidth: [webmasterworld.com...]

Planet13




msg:4696968
 6:03 am on Aug 21, 2014 (gmt 0)

Thanks for the link, not2easy.

Of course, if there is one thing I hate more than .htaccess files, it is working with excel...

;-)

graeme_p




msg:4697008
 10:33 am on Aug 21, 2014 (gmt 0)

I use a plugin called "Rename wp-login.php" that does exactly that. If you go directly to wp-admin and you are not logged in you get a page that tells you to login, but now where, so only someone who knows the login URL can login.

Brute force attacks on wp-login.php get your 404 page. Hopefully attackers will give up after seeing this.

Planet13




msg:4697124
 4:16 pm on Aug 21, 2014 (gmt 0)

@ graeme_p

Thanks so much!

graeme_p




msg:4697328
 4:38 pm on Aug 22, 2014 (gmt 0)

Glad to help, but do remember to note the new login URL or bookmark it. I did not the first time - luckily I had a vague memory of it and managed to guess.

lorax




msg:4697416
 11:07 pm on Aug 22, 2014 (gmt 0)

@grame_p +5

:)

Personally I just block all access by IP and allow only my own IP. I do the same for the wp-admin directory too. Keeps most of the pests at bay.

Hoople




msg:4697439
 1:49 am on Aug 23, 2014 (gmt 0)

Thanks Hoople:

i will try out that plugin, although there is a warning that it hasn't been updated in two years.

It could be no changes were needed in the last two years. Did you notice:

1 of 2 support threads in the last two months have been resolved.

To me that says it's being looked after, just not in a way that the WP site's staleness script can detect.

Kendo




msg:4697474
 6:45 am on Aug 23, 2014 (gmt 0)

Personally I just block all access by IP and allow only my own IP. I do the same for the wp-admin directory too.


Is this done in .htaccess?
Can you recommend the code to use?

Planet13




msg:4697530
 2:51 pm on Aug 23, 2014 (gmt 0)

Personally I just block all access by IP and allow only my own IP. I do the same for the wp-admin directory too.

I would like to do that, but my IP addresses keep changing due to the fact that I am 1) Using DSL (and they change IP address fairly regularly), and 2) I access from three different computers at two different locations.

lorax




msg:4697611
 11:31 pm on Aug 23, 2014 (gmt 0)

Is this done in .htaccess?
Can you recommend the code to use?


Sure.


<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>


[added]Forgot to mention - if you didn't figure it out - the x's are placeholders. Replace with the IP you want to allow access with. You can use REGEX to specify a range or more than one[/added]

I just recently switched to using the above code. It blocks access to both my wp-login.php file and wp-admin directory.

I don't have to worry about access to my htaccess file as my host protects that.

I would like to do that, but my IP addresses keep changing...


Yea.. I know it's a pain. You could write the code to just include the first two blocks of the IP and that might catch most of the times when your IP changes. You could also get the IPs of the other locations you connect from and do the same.

[edited by: lorax at 11:28 am (utc) on Aug 25, 2014]

Kendo




msg:4697723
 8:26 pm on Aug 24, 2014 (gmt 0)

<IfModule mod_rewrite.c>


Is this relevant for mod_rewrite only? If so, I cannot use this code because I don't bother with URL rewrite on our sites.

not2easy




msg:4697729
 10:14 pm on Aug 24, 2014 (gmt 0)

It is part of the htaccess code generated by WordPress, without that, WP seems to have trouble following the orders you set in the settings panel. I removed the <ifModule wrapper once because it seemed unnecessary and redundant, but WP didn't work right without it. It may not make sense, but I won't remove it again. If you use WP you are rewriting URLs. Maybe not consciously but it's happening.

Kendo




msg:4697882
 9:43 pm on Aug 25, 2014 (gmt 0)

By coincidence, something that I noticed on one of our WordPress sites (before this topic started) was that there was no .htaccess file at all. To create a .htaccess file I had to enable URL rewriting by nominating the rewrite format.

Surely there must be a generic method that can be used that can be applied to all PHP sites?

topr8




msg:4697887
 10:27 pm on Aug 25, 2014 (gmt 0)

>>I would like to do that, but my IP addresses keep changing due to the fact that I am 1) Using DSL (and they change IP address fairly regularly), and 2) I access from three different computers at two different locations.

most likely your dsl is using the same B class when it allocates new addresses, so you could at least restrict it to that as a start, ditto the other locations.

brotherhood of LAN




msg:4697889
 10:33 pm on Aug 25, 2014 (gmt 0)

If you can SSH into the box hosting wordpress (or any other you have access to for that matter), then you can use the -D flag for port forwarding to use the server as a tunnel, giving you a static IP.

Kendo




msg:4697942
 6:17 am on Aug 26, 2014 (gmt 0)

they change IP address fairly regularly


Fixed IP addresses are not always assigned. Some IPs will assign a fixed IP address to each account/location. But if they don't assign one, it doesn't hurt to ask. Some ISPs might charge an extra connection fee of $10 or you might be lucky like we were. Initially we were in partners with the ISP so a fixed IP address was no problem. Then when they were taken over, when we explained that we had a fixed IP address and that it was essential to our business, we got one assigned for free.

It doesn't hurt to ask... or shop around for another ISP.

graeme_p




msg:4697957
 6:39 am on Aug 26, 2014 (gmt 0)

@brotherhood of LAN, I have been using port forwarding for a while lots of things, and it never occurred to me to use it for blog admin! Good idea.

Another good idea to strengthen security may be to block some files in htaccess altogether: xmlrpc.php may be one, there are probably others that a lot of people can live without?

lorax




msg:4698275
 11:47 am on Aug 27, 2014 (gmt 0)

xmlrpc is the biggest risk and the install can live without it. I would be very leery of removing anything else. You can hide files, change file permissions, even move them to different directories if you wish.

ansaripk




msg:4698313
 2:56 pm on Aug 27, 2014 (gmt 0)

Easy solutions is to restrict your admin folder to your IP address only. use deny from All. So except you, no one can browse your admin area. Its very simple and without any plugin.

wruppert




msg:4698315
 3:15 pm on Aug 27, 2014 (gmt 0)

I block all Chinese IP addresses in .htacess.

[edited by: lorax at 7:45 pm (utc) on Sep 3, 2014]
[edit reason] removed dead link [/edit]

This 49 message thread spans 2 pages: 49 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / WordPress
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved