How to deal with endless bot hits on wp-login.php

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

How to deal with endless bot hits on wp-login.php

MrSavage

4:42 am on Jul 4, 2013 (gmt 0)

This isn't something new but it's endless. I've installed limit login attempts and other various login blockers. I've set those plugins to maximum lengths and bans. Pretty much across any server, on any site that I operate or look at. I've installed and used wordpress for ease of use. Editing htaccess files and messing around isn't what I signed on for.
Do people here just accept that their stats are junk and unreliable? That there is no realistic tracking of humans vs bots trying to hack wordpress? I'm not sure if I'm giving up, but even limit login attempts can't deal with all the IPs. Essentially it sucks like the rest of them. I would appreciate an opinions on this. People who criticize or even mock wordpress have good ground to do so.

lucy24

7:18 am on Jul 4, 2013 (gmt 0)

I had to laugh when I saw the header. I don't even USE wordpress... and my logs are still bloated with robots asking for the nineteen most common variants of the wp login and/or admin directories.

:: detour to log archives to see what's new on the 403 front ::

2.135.216.154 - - [25/Jun/2013:01:43:17 -0700] "GET /wp-login.php HTTP/1.0" 403 2265 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0" 
2.135.216.154 - - [25/Jun/2013:01:43:19 -0700] "GET /administrator/index.php HTTP/1.0" 403 2265 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0" 
2.135.216.154 - - [25/Jun/2013:01:43:20 -0700] "GET /admin.php HTTP/1.0" 403 2265 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"

I don't know and don't care whether that's a blocked IP or if they just got the 403 by asking for a file in .php :)

Nutter

7:20 pm on Jul 4, 2013 (gmt 0)

I stopped using stats programs that look at the raw stats like AWStats for pretty much that reason. Now I use a mix of Jetpack and Google Analytics. Jetpack for quick stuff and GA when I want to dig a bit deeper.

As far as hits on wp-login, I installed the limit login attempts plugin and let it do its thing. One thing I've noticed is that every single attempt that it flags as invalid is trying to login with the username admin. So, I make sure I'm not using that as a username.

not2easy

9:03 pm on Jul 4, 2013 (gmt 0)

On sites I manage that do not have WP installed, I use wp-login.php as a ticket to the robot trap. Saves me a lot of trouble.

On sites that do have WP installed, I just block the IP ranges, seldom any visitors from those ranges that I want anyway.

I also make sure I have done everything possible to make my sites a difficult target: Keep everything up to date, be careful of the plugins you choose, always have a complete backup, rename the table prefixes, secure your config file, use passwords that won't be simple to guess and don't ever post under a login username. Make login usernames as difficult as the password and use Nicknames to post with.

If nothing else, this gives you more time to catch and block their attempts.

MrSavage

12:29 am on Jul 5, 2013 (gmt 0)

I've installed Limit Login Attempts with the strictest of rules. Probably 500+ banned IPs and no end in sight. It's like holding water in your hand while the tap continues to run.

Blocked ip ranges but that's a true test of patience. Unless there are extreme situations, it's rather futile.

The conclusion may simply be that there is no way of dealing with it. I'm sticking with WP but in a lot of ways it brings on every bot and every low life. Sort of like when you think of flies taking to ----.

Nutter I think you have pretty much summed it up. Ditch the stat programs and accept that as a downside of using WP.

lorax

12:55 pm on Jul 5, 2013 (gmt 0)

I don't worry about the bot numbers. I am worried about access to my login and admin area so I block everyone but my IP.

Planet13

8:31 pm on Jul 5, 2013 (gmt 0)

Just a quick question...

is it possible via .htaccess to block access to the WP login page for EVERYBODY if they don't arrive at that page via a link / redirect from another page?

maybe create a page called doorway.php on your site with a link to the login page and put a rule in htaccess that you can't access the wp login page if you don't come from that page first?

Anyway, don't know if this is possible or not.

MrSavage

9:08 pm on Jul 5, 2013 (gmt 0)

@lorax, is that a "one and done" setup or is it ongoing when you update the wordpress version?

indyank

5:00 pm on Jul 6, 2013 (gmt 0)

it is easy to retrict access to only your own ip...

The.htaccess file in your wp-admin folder should have this:

Order deny,allow
Deny from all
Allow from <your_id_address>

replace <your_id_address> with your actual ip address from where you would access the wordpress admin dashboard...

lucy24

8:17 pm on Jul 6, 2013 (gmt 0)

is it possible via .htaccess to block access to the WP login page for EVERYBODY if they don't arrive at that page via a link / redirect from another page?

Most of the time, yes. Use either mod_rewrite or mod_setenvif to look at the referer. But it doesn't help with the 2% of users who simply don't send a referer. It also won't help if you have individual human users who choose to bookmark the login page itself.

lorax

1:01 am on Jul 8, 2013 (gmt 0)

@MrSavage,

Largely do it once and forget about it. The only issue is that unless you have a dedicated IP connection to the INet, your IP addy will change at some point. Then all you need to do is to update the IP addy in the htaccess files to the new IP and you're good to go.

FYI - I modify the htaccess file in the web root to lock down wp-login.php and another htaccess file in the wp-admin directory to lock that directory down. The block only affects http calls and not FTP so you can still edit and upload files.

Planet13

4:13 pm on Jul 8, 2013 (gmt 0)

Thank You, Lucy24!