Lockouts can be done without a plugin. They do require a little work, if you can view your access logs and keep track of the offending IPs and then do some whois lookups to find the CIDR to block.

These are almost always NOT humans doing the login attempts, usually they are robots programmed to try every possible combination until they do break through. It is important to have a strong password and just as important not to allow malicious bots to keep knocking at the door - both for bandwidth and security.

There is plenty of information here in the Forums, the search link can help you find more details about blocking bots in .htaccess.

Well, I tried searching and read through several posts.

the two main workarounds are either:

allow access to a specific IP address (if your IP address doesn't change and you only access from one location),

or,

Use an htaccess file so that it checks that no one is accessing the page directly but is instead coming from a redirect.

The thing is, the code I am trying for the second solution isn't working. I am trying this:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?mywebsite\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

I thought this would block anyone from going to the mydomain.com//wp-admin/wp-login.php page directly. I thought it would require me to go to JUST mydomain.com/wp-admin/

But I can still access the admin login when I type in the address directly.

I have this in a .htaccess file in the wp-admin folder.

Any suggestions?

Thanks in advance.

I used a plugin to harvest the bot's Ip's and added them to an htaccess file. As more showed up I expanded the ranges to encompass those in the same CIDR range. Lather, rinse repeat. With the IP's blocked the bandwith they used dropped too.

Can you tell me which plugin you used?

I am trying wordfence but it says that no ip addresses were captured

Also, can you share your .htacess file (or at least let me know what code I would need to add?)

Thanks in advance.

Or let me ask this:

What if I wanted the wp-admin pages accessed ONLY if someone went through a hidden page first?

So I would create a hidden page called:

hidden.php

and put a 301 redirect via php to:

wp-login.php

So I would like the .htaccess to reject anyone who didn't type mydomain/hidden.php into their browser.

Is that doable, and if so, would it break any functionality of different plugins or anything like that?

I am surprised that there is not already an option for this, or at least a plugin...

After n number of unsuccessful attempts by either IP/sessionID then the page redirects to a bye-bye come another day when you can get it right page.

[edited by: Kendo at 12:31 am (utc) on Aug 21, 2014]

Also forgot to mention that my blog is in a directory called /blog/ (instead of being in the root domain).

So do I have to change these lines in the .htaccess file?

RewriteCond %{HTTP_REFERER} !^http://(.*)?mywebsite\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

Man, htaccess is freaking killing me.

Can you tell me which plugin you used?

Limit Login Attempts [wordpress.org...]

As to the htaccess file - at some point I took the hint from here and began looking up netblocks of the countries where most attacks originate. As the customer's funds exchange occurs in the USA my blocking offshore countries has no effect on their fund raising. My resulting blocks ended up often encompaging large ranges.

Dropped SPAM attacks a bit too <G>

Thanks Hoople:

i will try out that plugin, although there is a warning that it hasn't been updated in two years.

@Planet13 - that htaccess code can't do much for you where it is. But if it was in the root directory, it could block you too.

BTW, a post just went up that gives instructions for an easy way that can help you see what is using the bandwidth: [webmasterworld.com...]

Thanks for the link, not2easy.

Of course, if there is one thing I hate more than .htaccess files, it is working with excel...

;-)

I use a plugin called "Rename wp-login.php" that does exactly that. If you go directly to wp-admin and you are not logged in you get a page that tells you to login, but now where, so only someone who knows the login URL can login.

Brute force attacks on wp-login.php get your 404 page. Hopefully attackers will give up after seeing this.

@ graeme_p

Thanks so much!

Glad to help, but do remember to note the new login URL or bookmark it. I did not the first time - luckily I had a vague memory of it and managed to guess.

@grame_p +5

:)

Personally I just block all access by IP and allow only my own IP. I do the same for the wp-admin directory too. Keeps most of the pests at bay.

Thanks Hoople:

i will try out that plugin, although there is a warning that it hasn't been updated in two years.

It could be no changes were needed in the last two years. Did you notice:

1 of 2 support threads in the last two months have been resolved.

To me that says it's being looked after, just not in a way that the WP site's staleness script can detect.

Personally I just block all access by IP and allow only my own IP. I do the same for the wp-admin directory too.

Is this done in .htaccess?
Can you recommend the code to use?

Personally I just block all access by IP and allow only my own IP. I do the same for the wp-admin directory too.

I would like to do that, but my IP addresses keep changing due to the fact that I am 1) Using DSL (and they change IP address fairly regularly), and 2) I access from three different computers at two different locations.

Is this done in .htaccess?
Can you recommend the code to use?

Sure.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

[added]Forgot to mention - if you didn't figure it out - the x's are placeholders. Replace with the IP you want to allow access with. You can use REGEX to specify a range or more than one[/added]

I just recently switched to using the above code. It blocks access to both my wp-login.php file and wp-admin directory.

I don't have to worry about access to my htaccess file as my host protects that.

I would like to do that, but my IP addresses keep changing...

Yea.. I know it's a pain. You could write the code to just include the first two blocks of the IP and that might catch most of the times when your IP changes. You could also get the IPs of the other locations you connect from and do the same.

[edited by: lorax at 11:28 am (utc) on Aug 25, 2014]

<IfModule mod_rewrite.c>

Is this relevant for mod_rewrite only? If so, I cannot use this code because I don't bother with URL rewrite on our sites.

It is part of the htaccess code generated by WordPress, without that, WP seems to have trouble following the orders you set in the settings panel. I removed the <ifModule wrapper once because it seemed unnecessary and redundant, but WP didn't work right without it. It may not make sense, but I won't remove it again. If you use WP you are rewriting URLs. Maybe not consciously but it's happening.

By coincidence, something that I noticed on one of our WordPress sites (before this topic started) was that there was no .htaccess file at all. To create a .htaccess file I had to enable URL rewriting by nominating the rewrite format.

Surely there must be a generic method that can be used that can be applied to all PHP sites?

>>I would like to do that, but my IP addresses keep changing due to the fact that I am 1) Using DSL (and they change IP address fairly regularly), and 2) I access from three different computers at two different locations.

most likely your dsl is using the same B class when it allocates new addresses, so you could at least restrict it to that as a start, ditto the other locations.

If you can SSH into the box hosting wordpress (or any other you have access to for that matter), then you can use the -D flag for port forwarding to use the server as a tunnel, giving you a static IP.

they change IP address fairly regularly

Fixed IP addresses are not always assigned. Some IPs will assign a fixed IP address to each account/location. But if they don't assign one, it doesn't hurt to ask. Some ISPs might charge an extra connection fee of $10 or you might be lucky like we were. Initially we were in partners with the ISP so a fixed IP address was no problem. Then when they were taken over, when we explained that we had a fixed IP address and that it was essential to our business, we got one assigned for free.

It doesn't hurt to ask... or shop around for another ISP.

@brotherhood of LAN, I have been using port forwarding for a while lots of things, and it never occurred to me to use it for blog admin! Good idea.

Another good idea to strengthen security may be to block some files in htaccess altogether: xmlrpc.php may be one, there are probably others that a lot of people can live without?

xmlrpc is the biggest risk and the install can live without it. I would be very leery of removing anything else. You can hide files, change file permissions, even move them to different directories if you wish.

Easy solutions is to restrict your admin folder to your IP address only. use deny from All. So except you, no one can browse your admin area. Its very simple and without any plugin.

I block all Chinese IP addresses in .htacess.

[edited by: lorax at 7:45 pm (utc) on Sep 3, 2014]
[edit reason] removed dead link [/edit]