Support » Plugin: HC Custom WP-Admin URL » 404 instead of HP
404 instead of HP
-
Hi
Is there a way to redirect attempts to access mydomain.com/wp-login.php to a 404 page at mydomain.com instead of redirecting visitors to the home page?
That could be a bit more sophisticated way to hide the login page, couldn’t it 🙂
-
I agree. Having an option to select a particular error URL. In the case of a brute force attack from hundreds of different sources against wp-login.php allowing the traffic to land on the home page still is a burden on my server.
In that case, wouldn’t this be better addressed at a server level?
esmi, Not really. The recent wp-login.php brute force attacks are distributed and the IP’s that they come from are in the thousands. I’ve tried complex mod_security rules with no success.
What coming at this from another angle and limiting access to wp-admin via IP?
esmi, that would only work if I had a honeypot to catch the thousands of IP’s that were hitting wp-login.php. I made a small change to the plugin and change line 110 which reads
header("location: " . $url['scheme'] . "://" . $url['domain'] . "/" . $url['rewrite_base']);<br />
and changed it to
header("location: " . $url['scheme'] . "://" . $url['domain'] . "/robots.txt" . $url['rewrite_base']);<br />
This seems to work somewhat and redirects a bad login URL attempt to the robots.txt
that would only work if I had a honeypot to catch the thousands of IP’s that were hitting wp-login.php
Then limit access to wp-login.php via IP.
Oh. I see what you mean. Only ALLOW by IP. I travel alot and would need to mess with my .htaccess often. Also, I develop ALOT of WP sites and managing a running list of my clients IP’s would not be something I couldn’t manage. I tail my logs on the servers and can usually see when an attack is underway. At which point I rename the wp-login.php file and place a dummy file in it’s place so as not to trigger a 404 hit which would be a drag on the server.
This plugin appears to do what I need it to with the exception of being able to configure a custom ‘login has moved..and i’m not going to tell you where’ page.
Only ALLOW by IP
Yes. I’ve used that approach on a few of my sites and it seems to work quite well – although I appreciate that it’s not a solution for everyone.
rename the wp-login.php file and place a dummy file in it’s place so as not to trigger a 404 hit
Yes – I’ve seen a few smaller hosts use this approach but I have to say that it does cause a few headaches for those of use who work on the forums. We get the backlash from people who suddenly can’t access their own logins. 🙂
I travel alot and would need to mess with my .htaccess often.
What about .htpasswd? Would that work on a file?
esmi,
I eventually restore the wp-login.php file after the attack ends.
Yes, a .htpasswd file would work but would not allow my clients to be able to access the ‘lost password’ feature on their sites…which they use alot…more than I would have thought, actually.
which they use alot…more than I would have thought, actually.
Now why doesn’t that surprise me? 😉 Is there anything in Brute_Force_Attacks you can use? We did try to pool some our best ideas in that Codex page.
We considered option for choosing where to redirect (404 or some Page), but rejected the idea cause we wanted to make the plugin simplest we can.
Question for T.McGuire, you said: “…brute force attack traffic to land on the home page still is a burden on my server”. How it would be different for the server traffic if redirect would lead to for example 404?
Hi, agreed – with or without the 404 page – there would be no change in the traffic generated.
BUT in therms of security – there would be some. Say we’re potential WP hackers. We see 404 instead of HP – it simply says No Such Page as wp-login.php – the end. If we see something else – that causes thinking there is one but nor working = this is a WP instance and we still want to find wp-login.php and hack it.
Ok, I’ll re-think about the redirect option 🙂
- The topic ‘404 instead of HP’ is closed to new replies.