htaccess changes to combat brute force attackes | WordPress.org

PhilTheBass
(@philthebass)

10 years, 3 months ago

Following an attack in October my hosting company added the following to the htaccess file:

# Block WordPress login attempts by denying access to no-referrer requests and redirecting to google
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-login\.php*
RewriteCond %{HTTP_REFERER} !.*dibdenchurches.org.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ ^http://www.google.com/$ [R=301,L]

To a definite non-expert this looks similar to the following from the Codex article on brute force attacks:

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

I find this area most confusing. Could I replace the hosting company’s code with the code from the Codex? (it appears a little unethical to redirect to Google!)

What does this line achieve:

RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

The topic ‘htaccess changes to combat brute force attackes’ is closed to new replies.

In: Fixing WordPress
0 replies
1 participant
Last reply from: PhilTheBass
Last activity: 10 years, 3 months ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics