Support » Fixing WordPress » wp-admin locked down through htaccess, but still getting TONS of login attempts

  • I’ve used .htaccess to block everyone except my IP address from accessing wp-login.php and wp-admin.php, yet I still get 1-5 an hour of people in Ukraine and Turkey trying to login with “admin”.

    How are they doing this and how do I prevent it?

    Below is the code from my htaccess

    <files wp-login.php>
    order deny,allow
    allow from 50.89.200.63
    allow from 50.89.58.21
    deny from all
    </files>
    
    <files wp-admin.php>
    order deny,allow
    allow from 50.89.200.63
    allow from 50.89.58.21
    deny from all
    </files>

Viewing 11 replies - 1 through 11 (of 11 total)
  • Hello @krashx6

    Please try the following code:
    This prevents every external POST attempt to:
    wp-comments-post.php(less SPAM), wp-login.php and wp-admin.php.

    Make sure to write your domain.

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login|wp-admin)\.php*
    RewriteCond %{HTTP_REFERER} !.*YOUR-DOMAIN.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
    </IfModule>

    The Limit Login Attempts plugin does well to stop these malicious bots. Note: While it has not been updated as noted at the link, I have it working fine on both single and multi-site installations at WP4.0. See also:

    http://codex.wordpress.org/Brute_Force_Attacks

    Your best course of action is a strong and unique password for the site admin user(s). I strongly suggest also not using admin as a USERNAME but create a password like one.

    To understand why the password should not just be a strong one but also be unique see:

    Gmail Password Leak Update

    See, people tend to use the same password for varying sites/logins. Once one is compromised and the credentials stolen, these malicious bots go to work attempting to login to all the popular sites, and gosh, even banking sites..their goal is theft and often they succeed when folks use poor security measures!

    The single most powerful tool is both a unique and password like USERNAME and a unique and strong password.

    I have the same problem, I installed captcha so I can avoid spam logins, I have received to many invalid attempts, as of this writing the site generated 14,000 more users. One BIG PROBLEM , i tried to password protect my wp-admin from my cpanel. I don’t know what happened and Now i am I cannot login to my back panel in wordpress. Can you please help me with this problem? Please…

    Thank you for the info.

    I’ll look into this Limit Login Attempts

    @daisy101, per forum rules, please start your own topic. Thanks!

    @daisy101

    You need to log into your cPanel account and edit the .htaccess file and erase the code you entered.

    After that, add the following lines:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login|wp-admin)\.php*
    RewriteCond %{HTTP_REFERER} !.*YOUR-DOMAIN.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
    </IfModule>

    This will help you.

    Good luck!

    @it Expert

    I followed per your advice, but I still am getting the login attempts. There is slowly more and more. Below is a copy/paste of my .htaccess that is in the root directory of wordpress.

    Does it look okay?
    Any suggested changes?
    Should I copy/paste this .htaccess to the /wp-admin/ folder?

    Thanks.

    # protect the htaccess file
    <files .htaccess>
    order allow,deny
    deny from all
    </files>
    
    # disable the server signature
    ServerSignature Off
    
    order allow,deny
    deny from 195.88.31.48
    deny from 46.172.244.149
    deny from 41.249.5.178
    deny from 78.172.104.63
    deny from 201.196.15.109
    allow from all
    
    <files wp-login.php>
    order deny,allow
    allow from 50.89.200.63
    allow from 50.89.58.21
    allow from 75.112.151.98
    deny from all
    </files>
    
    <files wp-admin.php>
    order deny,allow
    allow from 50.89.200.63
    allow from 50.89.58.21
    allow from 75.112.151.98
    deny from all
    </files>
    
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>
    
    <files ~ "^.*\.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
    </files>
    
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login|wp-admin)\.php*
    RewriteCond %{HTTP_REFERER} !.*jessiedee.net.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
    </IfModule>
    
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    Please post a few lines of your Apache logs.

    No, don’t copy this htaccess to wp-admin folder. Those rules from the root htaccess should affect all files and folders.

    Try this:

    Options -Indexes
    ServerSignature Off
    Options +FollowSymlinks
    
    # Protect BEGIN
    
    <Files .htaccess,.svn>
    order allow,deny
    deny from all
    </Files>
    
    <Files ~ "^.*\.([Hh][Tt][Aa])">
        order allow,deny
        deny from all
        satisfy all
    </Files>
    
    # protect wp-config.php START
    <files wp-config.php>
    order deny,allow
    deny from all
    </files>
    # protect wp-config.php END
    
    # Bad bots
    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
    RewriteRule .* – [F,L]
    # Bad bots
    
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login|wp-admin)\.php*
    RewriteCond %{HTTP_REFERER} !.*thelinuxterminal.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
    </IfModule>
    
    # Protect END
    
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress

    HI, This issue is becoming an increasing disadvantage for all WordPress users!
    I placed a ticket due to the same experience, and received a link from a supporter, which you may use, and which may improve the lacking security of your site:

    [link moderated – keep support on this site. See http://codex.wordpress.org/Brute_Force_Attacks ]

    Good luck and get your job done!

    _Psychomachia

    I have the same problem as the OP. I already had the Limit Login Attempts plugin and that mailed me about more and more (temporarily) blocked IP’s because of brute force attacks.

    So I used .htaccss to block all IP’s but mine to the /wp-admin directory.
    Also, I renamed the /wp-login.php to prevent login attempts.
    Also, the ‘register’ option is off
    And all pages and posts are one by one checked to see if the ‘react to this’ option is off.

    Still I get mails from the Limit Login Attempts plugin that IP’s are blocked because of multiple failed login attempts. How is this even possible?

    @laptopleon – I hear you, after totally locking down wp-login.php and /wp-admin/, renaming wp-login.php, enabling apache basic authentication for wp-login.php, numerous security plugins, etc, etc, I was still getting notifications.

    The answer may lie in wordpress’s xmlrpc.php file. It’s allows you, through the XML-RPC protocol, to post entries from a desktop application like BlogDesk.

    Through the comments in this post, I learned that ‘Limit Login Attempts’ may work the same on XMLRPC login attempts as on the WordPress Login Forms.

    So, you can block the xmlrpc.php file in .htaccess like this:

    <Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
    </Files>

    Alternatively, in .htaccess, here’s a handy way to simply redirect requests for xmlrpc.php to a bogus IP – a way to disable the file using less resources than a 404 response:

    RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]

    Either way, I’m trying this on all my wordpress sites to reduce/eliminate invalid login attempts.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘wp-admin locked down through htaccess, but still getting TONS of login attempts’ is closed to new replies.