go41

Blocking and protect access to wp-login.php – WordPress Brute Force Attacks

von Joern am 9. Jun. 2013 | Keine Kommentare

On checking AWSTATS of my sites I find more and more login attempts, AWSTATS shows:

url Viewed Average size Entry Exit
/wp-login.php 5595 3.71 KB 1896 1897
/ 109 25.78 KB 82 57

the access log of this site shows me entries of many different IPs with the same with login attempt – no way to just block them via IP in .htaccess:
actually some per second!!

122.60.210.78 – – [09/Jun/2013:11:50:58 +0200] "POST /wp-login.php HTTP/1.0" 200 3826 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
113.161.76.254 – – [09/Jun/2013:11:50:58 +0200] "POST /wp-login.php HTTP/1.0" 200 3826 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
188.119.8.160 – – [09/Jun/2013:11:50:59 +0200] "POST /wp-login.php HTTP/1.0" 200 3826 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
49.145.70.70 – – [09/Jun/2013:11:50:59 +0200] "POST /wp-login.php HTTP/1.0" 200 3826 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
125.27.224.117 – – [09/Jun/2013:11:50:59 +0200] "POST /wp-login.php HTTP/1.0" 200 3826 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
114.187.69.123 – – [09/Jun/2013:11:50:59 +0200] "POST /wp-login.php HTTP/1.0" 200 3826 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
85.101.226.115 – – [09/Jun/2013:11:50:59 +0200] "POST /wp-login.php HTTP/1.0" 200 3826 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
194.165.145.100 – – [09/Jun/2013:11:50:59 +0200] "POST /wp-login.php HTTP/1.0" 200 3826 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
212.42.126.246 – – [09/Jun/2013:11:51:00 +0200] "POST /wp-login.php HTTP/1.0" 200 3826 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
177.133.249.58 – – [09/Jun/2013:11:51:00 +0200] "POST /wp-login.php HTTP/1.0" 200 3826 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
78.175.44.88 – – [09/Jun/2013:11:51:00 +0200] "POST /wp-login.php HTTP/1.0" 200 3826 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
39.47.97.81 – – [09/Jun/2013:11:51:00 +0200] "POST /wp-login.php HTTP/1.0" 200 3826 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"

My solution to prevent a connection to the database and an attempt to query the login details in WordPress is to password protect wp-login.php

You need root access to your WordPress installation!

Get your .htaccess from your root folder of WP and add the following to the very front of this file:

<Files wp-login.php>
AuthName "protected login"
AuthType Basic
AuthUserFile "/var/www/vhosts/my-site/my-folder/.htpasswd"
require valid-user
</Files>

you have to find and adjust above the correct path to AuthUserFile, this is different on different servers.

Now your server is looking for a file .htpasswd, it will send back a ‚401 Unauthorized‘ error and ask for your login credentials, name and password.

You need a file called .htpasswd beside .htaccess on your server with an encrypted password created with crypt and MD5.

You can generate the text to insert into the .htpasswd file which is used with your .htaccess here: .htpasswd Password Generator

Using this link above just enter a Username (USER) and password to get one line of text to insert into .htpasswd file.
I use the method MD5 (apache servers only) this algorithm is used by htpasswd and is specific to the Apache software.

The result looks like that: iamtheboss:$apr1$RYTw76A3$kTmE79cmPNn1PTN9HcYpe1

On login you get now a "Unauthorized error message" asking for USER and PASSWORD, using the one you used above you will forward you to your normal WordPress login page.

You might use the same USERNAME and PASSWORD for both logins.

The result in access log looks like below, the attacking sites get just a 401 error, not using lots of resources of your server.
Eventually they will realize the problem and disappear.

39.48.184.79 – – [09/Jun/2013:12:36:58 +0200] "POST /wp-login.php HTTP/1.0" 401 755 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
203.217.147.37 – – [09/Jun/2013:12:36:58 +0200] "POST /wp-login.php HTTP/1.0" 401 755 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
41.97.106.31 – – [09/Jun/2013:12:36:58 +0200] "POST /wp-login.php HTTP/1.0" 401 755 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
39.48.184.79 – – [09/Jun/2013:12:36:58 +0200] "POST /wp-login.php HTTP/1.0" 401 755 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
2.186.59.45 – – [09/Jun/2013:12:36:59 +0200] "POST /wp-login.php HTTP/1.0" 401 755 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
2.186.59.45 – – [09/Jun/2013:12:36:59 +0200] "POST /wp-login.php HTTP/1.0" 401 755 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
116.83.36.52 – – [09/Jun/2013:12:36:59 +0200] "POST /wp-login.php HTTP/1.0" 401 755 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
39.48.184.79 – – [09/Jun/2013:12:36:59 +0200] "POST /wp-login.php HTTP/1.0" 401 755 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
31.192.5.2 – – [09/Jun/2013:12:36:59 +0200] "POST /wp-login.php HTTP/1.0" 401 755 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
91.103.29.238 – – [09/Jun/2013:12:37:00 +0200] "POST /wp-login.php HTTP/1.0" 401 755 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
58.89.228.59 – – [09/Jun/2013:12:37:00 +0200] "POST /wp-login.php HTTP/1.0" 401 755 "http://www.my-site.de/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
____________________
you find me on Google+, Twitter and Facebook

(von: Joern)

Sorry, no posts matched your criteria.

Autor:

Du findest mich auch auf Google+, Twitter und Facebook!

Schreibe einen Kommentar

Pflichtfelder sind mit * markiert.


weitere forum Beiträge: