post

Securing WordPress from Brute Force Attacks (.htaccess method)

Securing WordPress from a Brute Force AttackMassive brute force attacks against WordPress installations across virtually every web host in existence were reported in April 2013. According to media reports, a large botnet with more than 90,000 servers attempted to log in by cycling different usernames and passwords against the WordPress access points: /wp-login.php and /wp-admin. My websites and those of my customers are among those affected.

Today, it happened again against my server. While working on a couple of my sites this morning, performance suddenly dropped. After a few minutes, I was able to login to my Cpanel and saw the following site statistics:

Brute Force Attack Cpanel Statistics

I immediately contacted my host to find out why I was seeing nearly 100% CPU utilization and 100 Entry Processes. Within minutes I watched the CPU utilization drop to 20% and Entry Processes drop to zero. They emailed back and said my site was again the victim of a brute force attack and they added some code to my .htaccess file to prevent access to wp-login.php. In their email, they said,

To help keep these attackers out and to reduce the site’s usage we blocked all access to the “wp-login.php” script through this code we added to your site’s “.htaccess” file:

  1. RewriteEngine On
  2. RewriteCond %{REQUEST_URI} ^/wp-login\.php$ [NC]
  3. RewriteRule ^.*$ - [F,L]
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-login\.php$ [NC]
RewriteRule ^.*$ - [F,L]

To allow yourself access to WordPress you can change that “.htaccess” rule to the following:

  1. RewriteEngine On
  2. RewriteCond %{REMOTE_ADDR} !^135\.135\.135\.246$
  3. RewriteCond %{REQUEST_URI} ^/wp-login\.php$ [NC]
  4. RewriteRule ^.*$ - [F,L]
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^135\.135\.135\.246$
RewriteCond %{REQUEST_URI} ^/wp-login\.php$ [NC]
RewriteRule ^.*$ - [F,L]

This is all well and good if I were the only user on my site. But I run a multisite instance of WordPress and have hundreds of users accessing protected content. They need to be able to use wp-login to access their materials. So here’s a better way of securing WordPress against brute force attack-bots by denying access to no referrer requests by modifying your site’s .htaccess file. This fix works against attack-bots only which are from where the majority of brute force attacks originate. This fix will not work against someone who accesses the pages from their browser and deliberately tries to hack your site.

When your readers leave a comment or login to your site, the wp-comments-post.php or wp-login.php file is accessed. These files do their thing, create the post or log a user into the system. When this happens, the user’s browser sends a “referral” line about this. The referral line references your website and the files that were accessed.

When a spam-bot arrives, it hits these files directly and doesn’t usually leave a referrer. As a result, you can direct the Apache server to detect this no referrer condition and reroute the spam-bot into cyberspace. By adding the code below to your .htacess file, you will accomplish four things:

  1. Detect when a POST is being made
  2. Check to see if the post is on wp-comments-post.php or wp-login.php
  3. Check if the referrer is in your domain or if no referrer
  4. Send the spam-bot BACK to its originating server’s IP address.
  1. # Stop spam/brute force attack logins and comments
  2.  
  3.     RewriteEngine On
  4.     RewriteCond %{REQUEST_METHOD} POST
  5.     RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
  6.     RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
  7.     RewriteCond %{HTTP_USER_AGENT} ^$
  8.     RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
# Stop spam/brute force attack logins and comments

	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

The above code is for a single site installation. Change example.com to the name of your domain. If you run a multisite installation with mapped domains as I do, then you would use the following code:

  1. # Stop spam/brute force logins and comments
  2.  
  3.     RewriteEngine On
  4.     RewriteCond %{REQUEST_METHOD} POST
  5.     RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
  6.     RewriteCond %{HTTP_REFERER} !.*(example.com|example2.com|example3.com|example4.com).* [OR]
  7.     RewriteCond %{HTTP_USER_AGENT} ^$
  8.     RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
# Stop spam/brute force logins and comments

	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*(example.com|example2.com|example3.com|example4.com).* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

 

VictorFont.com runs on the Genesis Framework

Genesis FrameworkThe Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Genesis provides the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Check out the incredible features and the selection of designs. It's that simple—start using Genesis now!

Click here to download The Genesis Guide for Absolute Beginners (PDF - 1.4 MB)

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code lang=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" extra="">

Current ye@r *