This is a continuation of an earlier post about wp-login and brute force attacks – see the article…
A little digging when not under duress provides a great bit of information about brute force attacks on web servers and, in particular, WordPress brute force attacks. As I knew, resolving this issue was going to require blocking access at the earliest possible moment – BEFORE they tie up my resources wading through MySQL databases to see if they were authorized, generating an error, throwing them into a banned IP list, etc all through WordPress. We’re editing the .htaccess file directly.
.htaccess wp-login.php file lockdown
This is unhandy for a number of reasons – limits the login capabilities from anywhere other than a whitelisted location being the most annoying. This means that hanging out at the local Starbucks and popping into the admin area won’t be possible since there is NO way of telling what IP you might have. Though… you could use a VPN with a fixed IP being the whitelisted IP. I have some autoposting features setup that this will affect and those will need to be ironed out.
And it certainly would be a pain with multiple admins/authors trying to access it with these mods in place. Well, I’ll sort those issues out later. But for now… However, this will lock out very handily ANYONE at the earliest possible moment in the process before wasting any server resources on it. Tested it on ANOTHER site before throwing it into production. And I believe we’ll just put this site on ANOTHER server for watching to see how well it works out. A little throwaway site that I can get the info off from to see the results. Put this into your .htaccess file in the root directory of your WordPress installation (same one AS the wp-login.php file).
# This is an Eric modification to limit access to resource hogging wp-login attacks order deny,allow deny from all # whitelist Admin 1 IP address allow from xx.xx.xx.xx
Protect the wp-admin folder too
And now let’s add a little .htaccess protection into the wp-admin folder too. Create an .htaccess file in the wp-admin folder if you don’t have one – and if you’re running stock WordPress, you don’t.
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Password Protected Area" AuthType Basic order deny,allow deny from all # whitelist home IP address allow from xxx.xxx.xxx.xxx # whitelist work IP address allow from xxx.xxx.xxx.xxx
Simple and efficient. If you don’t have a ticket, you ain’t even SEEING the laundry. So, let’s put this back up today, and see how we do. Like I said, probably on another server though! I’ll post the results later – and more importantly, will they actually ever give up?