Welcome to WebmasterWorld Guest from 54.166.191.159

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

What's The Best Way To Deal With Blunt Force Attacks On Login Screen

     
6:52 pm on Aug 20, 2014 (gmt 0)

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Hi all:

The wordpress login page is - according to my log stats - the most popular page on my site. I am pretty sure that it is blunt force attacks trying to hack my site.


While I am not too worried about them actually hacking my site, since I have a strong password, I am concerned that I KEEP GOING OVER MY BANDWIDTH LIMIT set by my host.

Do you have recommendations on how to deal with this?

Again, my MAIN concern is my bandwidth usage first, then actual security second.

Also, it appears that the wordpress comments page is being attacked as well, so I would like to deter those attacks, too. I don't get many spam comments because of the captcha plugin I use, but again, I don't want all my bandwidth used up by these attacks.

BTW: I just installed the wordfence plugin yesterday. Haven't really had a chance to see if the failed login attempts lockout feature will be affective or not. There doesn't seem to be any sort of lock out for comments, though.
7:07 pm on Aug 20, 2014 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



Lockouts can be done without a plugin. They do require a little work, if you can view your access logs and keep track of the offending IPs and then do some whois lookups to find the CIDR to block.

These are almost always NOT humans doing the login attempts, usually they are robots programmed to try every possible combination until they do break through. It is important to have a strong password and just as important not to allow malicious bots to keep knocking at the door - both for bandwidth and security.

There is plenty of information here in the Forums, the search link can help you find more details about blocking bots in .htaccess.
11:31 pm on Aug 20, 2014 (gmt 0)

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Well, I tried searching and read through several posts.

the two main workarounds are either:

allow access to a specific IP address (if your IP address doesn't change and you only access from one location),

or,

Use an htaccess file so that it checks that no one is accessing the page directly but is instead coming from a redirect.

The thing is, the code I am trying for the second solution isn't working. I am trying this:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?mywebsite\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

I thought this would block anyone from going to the mydomain.com//wp-admin/wp-login.php page directly. I thought it would require me to go to JUST mydomain.com/wp-admin/

But I can still access the admin login when I type in the address directly.

I have this in a .htaccess file in the wp-admin folder.

Any suggestions?

Thanks in advance.
12:02 am on Aug 21, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I used a plugin to harvest the bot's Ip's and added them to an htaccess file. As more showed up I expanded the ranges to encompass those in the same CIDR range. Lather, rinse repeat. With the IP's blocked the bandwith they used dropped too.
12:08 am on Aug 21, 2014 (gmt 0)

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Can you tell me which plugin you used?

I am trying wordfence but it says that no ip addresses were captured

Also, can you share your .htacess file (or at least let me know what code I would need to add?)

Thanks in advance.
12:19 am on Aug 21, 2014 (gmt 0)

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Or let me ask this:

What if I wanted the wp-admin pages accessed ONLY if someone went through a hidden page first?

So I would create a hidden page called:

hidden.php

and put a 301 redirect via php to:

wp-login.php

So I would like the .htaccess to reject anyone who didn't type mydomain/hidden.php into their browser.

Is that doable, and if so, would it break any functionality of different plugins or anything like that?
12:30 am on Aug 21, 2014 (gmt 0)

10+ Year Member



I am surprised that there is not already an option for this, or at least a plugin...

After n number of unsuccessful attempts by either IP/sessionID then the page redirects to a bye-bye come another day when you can get it right page.

[edited by: Kendo at 12:31 am (utc) on Aug 21, 2014]

12:31 am on Aug 21, 2014 (gmt 0)

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Also forgot to mention that my blog is in a directory called /blog/ (instead of being in the root domain).

So do I have to change these lines in the .htaccess file?

RewriteCond %{HTTP_REFERER} !^http://(.*)?mywebsite\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

Man, htaccess is freaking killing me.
12:31 am on Aug 21, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Can you tell me which plugin you used?

Limit Login Attempts [wordpress.org...]

As to the htaccess file - at some point I took the hint from here and began looking up netblocks of the countries where most attacks originate. As the customer's funds exchange occurs in the USA my blocking offshore countries has no effect on their fund raising. My resulting blocks ended up often encompaging large ranges.

Dropped SPAM attacks a bit too <G>
12:46 am on Aug 21, 2014 (gmt 0)

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Thanks Hoople:

i will try out that plugin, although there is a warning that it hasn't been updated in two years.
12:47 am on Aug 21, 2014 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



@Planet13 - that htaccess code can't do much for you where it is. But if it was in the root directory, it could block you too.

BTW, a post just went up that gives instructions for an easy way that can help you see what is using the bandwidth: [webmasterworld.com...]
6:03 am on Aug 21, 2014 (gmt 0)

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Thanks for the link, not2easy.

Of course, if there is one thing I hate more than .htaccess files, it is working with excel...

;-)
10:33 am on Aug 21, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



I use a plugin called "Rename wp-login.php" that does exactly that. If you go directly to wp-admin and you are not logged in you get a page that tells you to login, but now where, so only someone who knows the login URL can login.

Brute force attacks on wp-login.php get your 404 page. Hopefully attackers will give up after seeing this.
4:16 pm on Aug 21, 2014 (gmt 0)

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



@ graeme_p

Thanks so much!
4:38 pm on Aug 22, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



Glad to help, but do remember to note the new login URL or bookmark it. I did not the first time - luckily I had a vague memory of it and managed to guess.
11:07 pm on Aug 22, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



@grame_p +5

:)

Personally I just block all access by IP and allow only my own IP. I do the same for the wp-admin directory too. Keeps most of the pests at bay.
1:49 am on Aug 23, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Thanks Hoople:

i will try out that plugin, although there is a warning that it hasn't been updated in two years.

It could be no changes were needed in the last two years. Did you notice:

1 of 2 support threads in the last two months have been resolved.

To me that says it's being looked after, just not in a way that the WP site's staleness script can detect.
6:45 am on Aug 23, 2014 (gmt 0)

10+ Year Member



Personally I just block all access by IP and allow only my own IP. I do the same for the wp-admin directory too.


Is this done in .htaccess?
Can you recommend the code to use?
2:51 pm on Aug 23, 2014 (gmt 0)

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Personally I just block all access by IP and allow only my own IP. I do the same for the wp-admin directory too.

I would like to do that, but my IP addresses keep changing due to the fact that I am 1) Using DSL (and they change IP address fairly regularly), and 2) I access from three different computers at two different locations.
11:31 pm on Aug 23, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Is this done in .htaccess?
Can you recommend the code to use?


Sure.


<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>


[added]Forgot to mention - if you didn't figure it out - the x's are placeholders. Replace with the IP you want to allow access with. You can use REGEX to specify a range or more than one[/added]

I just recently switched to using the above code. It blocks access to both my wp-login.php file and wp-admin directory.

I don't have to worry about access to my htaccess file as my host protects that.

I would like to do that, but my IP addresses keep changing...


Yea.. I know it's a pain. You could write the code to just include the first two blocks of the IP and that might catch most of the times when your IP changes. You could also get the IPs of the other locations you connect from and do the same.

[edited by: lorax at 11:28 am (utc) on Aug 25, 2014]

8:26 pm on Aug 24, 2014 (gmt 0)

10+ Year Member



<IfModule mod_rewrite.c>


Is this relevant for mod_rewrite only? If so, I cannot use this code because I don't bother with URL rewrite on our sites.
10:14 pm on Aug 24, 2014 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



It is part of the htaccess code generated by WordPress, without that, WP seems to have trouble following the orders you set in the settings panel. I removed the <ifModule wrapper once because it seemed unnecessary and redundant, but WP didn't work right without it. It may not make sense, but I won't remove it again. If you use WP you are rewriting URLs. Maybe not consciously but it's happening.
9:43 pm on Aug 25, 2014 (gmt 0)

10+ Year Member



By coincidence, something that I noticed on one of our WordPress sites (before this topic started) was that there was no .htaccess file at all. To create a .htaccess file I had to enable URL rewriting by nominating the rewrite format.

Surely there must be a generic method that can be used that can be applied to all PHP sites?
10:27 pm on Aug 25, 2014 (gmt 0)

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



>>I would like to do that, but my IP addresses keep changing due to the fact that I am 1) Using DSL (and they change IP address fairly regularly), and 2) I access from three different computers at two different locations.

most likely your dsl is using the same B class when it allocates new addresses, so you could at least restrict it to that as a start, ditto the other locations.
10:33 pm on Aug 25, 2014 (gmt 0)

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



If you can SSH into the box hosting wordpress (or any other you have access to for that matter), then you can use the -D flag for port forwarding to use the server as a tunnel, giving you a static IP.
6:17 am on Aug 26, 2014 (gmt 0)

10+ Year Member



they change IP address fairly regularly


Fixed IP addresses are not always assigned. Some IPs will assign a fixed IP address to each account/location. But if they don't assign one, it doesn't hurt to ask. Some ISPs might charge an extra connection fee of $10 or you might be lucky like we were. Initially we were in partners with the ISP so a fixed IP address was no problem. Then when they were taken over, when we explained that we had a fixed IP address and that it was essential to our business, we got one assigned for free.

It doesn't hurt to ask... or shop around for another ISP.
6:39 am on Aug 26, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



@brotherhood of LAN, I have been using port forwarding for a while lots of things, and it never occurred to me to use it for blog admin! Good idea.

Another good idea to strengthen security may be to block some files in htaccess altogether: xmlrpc.php may be one, there are probably others that a lot of people can live without?
11:47 am on Aug 27, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



xmlrpc is the biggest risk and the install can live without it. I would be very leery of removing anything else. You can hide files, change file permissions, even move them to different directories if you wish.
2:56 pm on Aug 27, 2014 (gmt 0)



Easy solutions is to restrict your admin folder to your IP address only. use deny from All. So except you, no one can browse your admin area. Its very simple and without any plugin.
3:15 pm on Aug 27, 2014 (gmt 0)

10+ Year Member



I block all Chinese IP addresses in .htacess.

[edited by: lorax at 7:45 pm (utc) on Sep 3, 2014]
[edit reason] removed dead link [/edit]

This 49 message thread spans 2 pages: 49
 

Featured Threads

Hot Threads This Week

Hot Threads This Month