WordPress.org

Ready to get started?Download WordPress

Forums

Many, many attempts to hack login.php (23 posts)

  1. MikeHarrison
    Member
    Posted 1 year ago #

    According to server stats, there are many, many requests for my login.php and, lately, they all seem to come from the same ip address. I'm guessing these are attempts to hack my site. Even though I have good security measures in place, is there a way to completely prevent any ip except my own from even accessing login.php? These repeated page requests are logging an awful lot of time.

    I'm hoping the contents of my directories are not accessible, so is it possible to change the name of wp-login.php to something else?

    Thanks!

  2. bottleneck
    Member
    Posted 1 year ago #

    Technically, you can block not only a single IP, but even the whole country of your choice by using a simple code placed in .htaccess file.

    There are many tutorials online.

  3. MikeHarrison
    Member
    Posted 1 year ago #

    Thanks. Yes, I've read those tutorials and even put their suggested code(s) into my .htaccess file, but they don't seem to work. I have deny orders for specific ip addresses, yet those same address still show up in server logs.

  4. Andrew Bartel
    Member
    Posted 1 year ago #

    There was an excellent discussion about site security started by a good question on wp-hackers back in July where Otto made the point that security cannot be automated, and more importantly, should not be and should not attempted. It requires an active administrator enforcing a strong password policy, among other things.

    Here's a link to the discussion: http://lists.automattic.com/pipermail/wp-hackers/2012-July/043638.html

    What came out of it, and what I recommended to my clients the next day, was to install Limit Login Attempts. You can take that a step further and remove the 'admin' username itself too. But a few hundred requests to login everyday shouldn't be the tipping point for your server. If it is, that is an entirely different discussion.

  5. MikeHarrison
    Member
    Posted 1 year ago #

    Thanks, Andrew! For quite some time already I've had Limit Login Attempts in place, I do not use 'Admin' as the user name, and my login password is extremely strong, too. So maybe I'm just overly concerned unnecessarily.

    Yesterday, for example, one ip address (according to server stats) logged 23 hours. You probably have lots more experience than I do, so if you don't feel that much server time or a few hundred page requests from the same ip is a problem, then I won't worry about it.

    Thanks again. I appreciate the feedback.

  6. Andrew Bartel
    Member
    Posted 1 year ago #

    I worry about it constantly and wake up in the middle of the night, but I'm weird.

    If an IP displays a particular... obsessiveness, shall we say, I tend to step it up into apache administration and drop the ban hammer. But realistically, anyone who is running a shop in eastern Europe (my biggest problem area), is not going to be stopped by having an ip blocked. However, it will discourage an otherwise determined non-technical user.

  7. MikeHarrison
    Member
    Posted 1 year ago #

    Most of my bothersome ip addresses are in Russia and, to a somewhat lesser degree, China. And one ip in particular is becoming quite insistent.

    What do you mean by going into apache administration and dropping the ban hammer?

  8. esmi
    Forum Moderator
    Posted 1 year ago #

  9. MikeHarrison
    Member
    Posted 1 year ago #

    Thanks, esmi...

    I began using that method over a year ago. I still use it and it still works for the most part but, apparently, there is a way determined hackers can get around that. Even though I have denied (many) specific ip addresses with .htaccess, some of them still show up on my server logs.

    That's what is frustrating to me.

  10. @MikeHarrison: if you have no legit visitors from russia, you can block the whole country: http://ipinfodb.com/ip_country_block.php

  11. MikeHarrison
    Member
    Posted 1 year ago #

    Thanks, songdogtech...

    Yes, I've had a long block of Russian ip addresses (plus Korea and China) in my htaccess file for a while, and I had just added more from the site you linked to a few minutes ago.

    I appreciate your help!

  12. MikeHarrison
    Member
    Posted 1 year ago #

    @Andrew Bartel...

    That insistent Russian ip address is receiving '403' errors, but yesterday alone, it made 1,014 attempts to access the login page.

    Your thoughts?

    Thanks!

  13. It's a poorly written bot that doesn't know the difference between a 403 and a rendering of the login page and to quit trying the page. You've blocked it; now you have to ignore it.

  14. MickeyRoush
    Member
    Posted 1 year ago #

    In addition,

    Are you the only person that needs to log in to your site? If so, you can block access to wp-login.php with .htaccess as well via whitelisting.

    While this doesn't work as well for dynamic IP addresses you could still limit it to Class C's, B's, or A's and it will still give some protection.

    RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.123$
    RewriteRule ^wp-login\.php http://example.com [R,L]

    Where example.com is your domain.

    Where 123.456.789.123 is your IP
    You can adjust it to Class C's like so:
    RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.

    Or Class B:
    RewriteCond %{REMOTE_ADDR} !^123\.456\.

    Or Class A:
    RewriteCond %{REMOTE_ADDR} !^123\.

  15. compositelitmus
    Member
    Posted 1 year ago #

    Hi I am newbie to this, so I hope you guys can be patient with me.

    Shouldn't the task of handling the hackers be dealt with by the webhost?

  16. MickeyRoush
    Member
    Posted 1 year ago #

    @ compositelitmus

    Not from the HTTP protocol. From that aspect it's basically your site. They try to provide support there as well, but then you come into usability, so from the HTTP protocol it's basically your responsibility.

  17. compositelitmus
    Member
    Posted 1 year ago #

    @MickeyRoush

    1. Is it less monitoring and simpler to make the site https by putting in an SSL? I understand there are some cheap SSL out there that cost only about $13.
    2. The measures discussed here - will employing them on https site complicate things or make it extra protection?

  18. MickeyRoush
    Member
    Posted 1 year ago #

    @ compositelitmus

    1. SSL only encrypts your site and is usually used to protect any sensitive data being transferred like passwords, etc between the client and host.

    2. The measures mentioned here should not conflict with using SSL.

  19. compositelitmus
    Member
    Posted 1 year ago #

    @MickeyRoush

    I haven't got to the point that I need to handle hackers. I will keep all this information, in case I need it someday.

    Thanks!

  20. rpsellers
    Member
    Posted 1 year ago #

    I'm late to the discussion but didn't see that anyone above had suggested this. I've installed the betterwpsecurity plugin and activated the standard ban list as well as specifically banning ip addresses that repeatedly get locked out for 404 errors - most of which are attempting variations of login or admin files. Sometimes blocking multiple variations from the same region of China gets old but at least I know I'm secure. One hacking in a lifetime was enough! It's worth the effort to explore that particular plugin.

  21. shamratdewan
    Member
    Posted 1 year ago #

    Best think is to use hard passwords and updated WP. other then that i also tried blocking IP, some plugins but none work so far for some reason. so learn living with it may be..

  22. MikeHarrison
    Member
    Posted 1 year ago #

    Since creating this thread, I've since installed BOTH Better WP Security AND Bulletproof Security. Bulletproof Security solved my problem forever by giving me code to customize my root .htaccess file, preventing login by anyone except me.

  23. rpsellers
    Member
    Posted 1 year ago #

    Haven't heard of BPS but it looks promising as well. I'd love on one install to quit having to ban the same range IP addresses from the same three cities in China every week...

Topic Closed

This topic has been closed to new replies.

About this Topic