Support » Plugin: HC Custom WP-Admin URL » 404 instead of HP

Viewing 13 replies - 1 through 13 (of 13 total)
  • I agree. Having an option to select a particular error URL. In the case of a brute force attack from hundreds of different sources against wp-login.php allowing the traffic to land on the home page still is a burden on my server.

    In that case, wouldn’t this be better addressed at a server level?

    esmi, Not really. The recent wp-login.php brute force attacks are distributed and the IP’s that they come from are in the thousands. I’ve tried complex mod_security rules with no success.

    What coming at this from another angle and limiting access to wp-admin via IP?

    esmi, that would only work if I had a honeypot to catch the thousands of IP’s that were hitting wp-login.php. I made a small change to the plugin and change line 110 which reads

    header("location: " . $url['scheme'] . "://" . $url['domain'] . "/" . $url['rewrite_base']);<br />

    and changed it to

    header("location: " . $url['scheme'] . "://" . $url['domain'] . "/robots.txt" . $url['rewrite_base']);<br />

    This seems to work somewhat and redirects a bad login URL attempt to the robots.txt

    that would only work if I had a honeypot to catch the thousands of IP’s that were hitting wp-login.php

    Then limit access to wp-login.php via IP.

    Oh. I see what you mean. Only ALLOW by IP. I travel alot and would need to mess with my .htaccess often. Also, I develop ALOT of WP sites and managing a running list of my clients IP’s would not be something I couldn’t manage. I tail my logs on the servers and can usually see when an attack is underway. At which point I rename the wp-login.php file and place a dummy file in it’s place so as not to trigger a 404 hit which would be a drag on the server.

    This plugin appears to do what I need it to with the exception of being able to configure a custom ‘login has moved..and i’m not going to tell you where’ page.

    Only ALLOW by IP

    Yes. I’ve used that approach on a few of my sites and it seems to work quite well – although I appreciate that it’s not a solution for everyone.

    rename the wp-login.php file and place a dummy file in it’s place so as not to trigger a 404 hit

    Yes – I’ve seen a few smaller hosts use this approach but I have to say that it does cause a few headaches for those of use who work on the forums. We get the backlash from people who suddenly can’t access their own logins. 🙂

    I travel alot and would need to mess with my .htaccess often.

    What about .htpasswd? Would that work on a file?

    esmi,

    I eventually restore the wp-login.php file after the attack ends.

    Yes, a .htpasswd file would work but would not allow my clients to be able to access the ‘lost password’ feature on their sites…which they use alot…more than I would have thought, actually.

    which they use alot…more than I would have thought, actually.

    Now why doesn’t that surprise me? 😉 Is there anything in Brute_Force_Attacks you can use? We did try to pool some our best ideas in that Codex page.

    Plugin Author somewebmedia

    (@somewebmedia)

    We considered option for choosing where to redirect (404 or some Page), but rejected the idea cause we wanted to make the plugin simplest we can.

    Question for T.McGuire, you said: “…brute force attack traffic to land on the home page still is a burden on my server”. How it would be different for the server traffic if redirect would lead to for example 404?

    Thread Starter kryvulena

    (@kryvulena)

    Hi, agreed – with or without the 404 page – there would be no change in the traffic generated.

    BUT in therms of security – there would be some. Say we’re potential WP hackers. We see 404 instead of HP – it simply says No Such Page as wp-login.php – the end. If we see something else – that causes thinking there is one but nor working = this is a WP instance and we still want to find wp-login.php and hack it.

    Plugin Author somewebmedia

    (@somewebmedia)

    Ok, I’ll re-think about the redirect option 🙂

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘404 instead of HP’ is closed to new replies.