htaccess changes to combat brute force attackes
-
Following an attack in October my hosting company added the following to the htaccess file:
# Block WordPress login attempts by denying access to no-referrer requests and redirecting to google
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-login\.php*
RewriteCond %{HTTP_REFERER} !.*dibdenchurches.org.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ ^http://www.google.com/$ [R=301,L]To a definite non-expert this looks similar to the following from the Codex article on brute force attacks:
# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>I find this area most confusing. Could I replace the hosting company’s code with the code from the Codex? (it appears a little unethical to redirect to Google!)
What does this line achieve:
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
- The topic ‘htaccess changes to combat brute force attackes’ is closed to new replies.