Support » Fixing WordPress » Failed login attempts with .htaccess limited to my IP

  • Resolved ehfk

    (@ehfk)


    Hi,

    Adding the rules below to my .htaccess file stopped brute force password guessing attempts for a few weeks, but I am starting to see some come through again. Is there another way to get to the login page that I’m missing?

    ErrorDocument 401 /mysite/index.php?error=404
    ErrorDocument 403 /mysite/index.php?error=404

    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^myiphere$
    RewriteRule ^(.*)$ – [R=403,L]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Hi there,

    brute-force attacks must be prevented by server software like “fail2ban” + “iptables” for example. Any “security” stuff in .htaccess file is bad from the start.

    In you want to secure your website a lil bit more, check out plugins here. And this article ofcourse 🙂

    • This reply was modified 3 months, 1 week ago by  Ex.Mi.

    Thank you! I do have the Sucuri plugin installed but wanted additional layers – it just makes me mad when I see the notifications that someone tried to get in 🙂

    I must have something misconfigured in the .htaccess but I don’t see what.

    when I see the notifications that someone tried to get in

    Oh, wow 🙂 Better disable this notifications, because if you have a proper and heavy security rules, there are a lot of bots that will try to break in anyways.

    I like “Security Ninja” plugin with some additional settings and logging rules, and my websites never been hacked/brute-forced 🙂

    WebFactory

    (@webfactory)

    @exmi glad to hear you find our Security Ninja useful 🙂

    ehfk

    (@ehfk)

    For anyone else who has a similar problem, I found the cause of mine.

    I’m on shared hosting. There’s a hidden .htaccess file at the root directory which I cannot edit and which overrides my custom file.

    I use the same .htaccess file across multiple sites. It works on my sites where WordPress is installed in a separate folder and not at root.

    @webfactory, yeah, but my favourite is “Login Ninja” – xtremely simple and useful 🙂

    @ehfk, so what you gonna do now?

    • This reply was modified 3 months ago by  Ex.Mi.
Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.