Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: How to block out wp-login

  1. #1
    iowadawg's Avatar
    iowadawg is online now Free Cell Champion
    Join Date
    May 2010
    Location
    Not in Texas
    Posts
    2,148
    Blog Entries
    4
    Thanks
    171
    Thanked 365 Times in 314 Posts

    How to block out wp-login

    I had this on one of my wp blogs and never gave it any thought nor thought about putting it on my other blogs.

    But I got an email from my host company that there is currently a distributed attack against WordPress logins globally that is trying to hack WordPress installations by brute forcing the logins "wp-login.php" file.

    So of course I checked my original .htaccess file on the blog and it was already set up.
    And I put it on my other blogs in the .htaccess file.

    Just add this to your .htaccess file, or create a .htaccess if you don't have one.

    <Files ~ "^wp-login.php">
    Order deny,allow
    Deny from all


    Allow from x.x.x.x
    </Files>

    Where the x.x.x.x is your ip address.

    That way, only you from your ip address can login.

  2. Thanked by:

    bogart (12 April, 2013)

  3. #2
    TopDogger's Avatar
    TopDogger is online now Über Hund
    Join Date
    Jan 2009
    Location
    Hellfire, AZ
    Posts
    3,107
    Thanks
    350
    Thanked 919 Times in 703 Posts
    My ISP frequently changes my IP, so that will not work for me. But I should be able to use it to block that specific login method. There are two ways to log in.

    I find the overwhelming number of hackers try to break the password using /wp-admin/ rather than wp-login.php. The Limit Login Attempts plugin will lock them out after only 4 failed attempts, so the brute force attacks will not work. It even tracks the IPs of the hackers, as well as the username they use to attempt to log in. I put Limit Login Attempts on all of my client's sites and frequently see 50 to 100 breaking attempts every month, mostly from China, Russia and Ukraine.


    http://wordpress.org/extend/plugins/...ogin-attempts/

    Two of major problems with WordPress is that in its native state there is nothing to stop a hacker from attempting million of combinations of passwords until they break in, and they do not allow you to change the login or admin location.
    Last edited by TopDogger; 13 April, 2013 at 00:10 AM.
    "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote." -- Benjamin Franklin


  4. Thanked by:

    Andy101 (14 April, 2013)

  5. #3
    iowadawg's Avatar
    iowadawg is online now Free Cell Champion
    Join Date
    May 2010
    Location
    Not in Texas
    Posts
    2,148
    Blog Entries
    4
    Thanks
    171
    Thanked 365 Times in 314 Posts
    With wordpress, too many people just keep the default database name and login, and pick simple usernames and passwords for the admin login.

    I like to come up with usernames and passwords that make no sense (like: u4pt&Qm^3).
    Tends to make it harder for any brute force.

    Only thing I think wordpress can do is allow up to 16 character (24 better) usernames and passwords.

  6. #4
    TopDogger's Avatar
    TopDogger is online now Über Hund
    Join Date
    Jan 2009
    Location
    Hellfire, AZ
    Posts
    3,107
    Thanks
    350
    Thanked 919 Times in 703 Posts
    A hacker can discover an admin's username even when it is changed from the default 'admin' during setup. Check this article out.

    WordPress Hack Reveals Admin Login Name

    You have to go into the database to fix this. It cannot be done through the admin area.

    Without something like the Limit Login Attempts plugin or the method that you use to block access, there is nothing to stop a hacker from using a bot to repeatedly attempt to break a password.
    "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote." -- Benjamin Franklin


  7. #5
    iowadawg's Avatar
    iowadawg is online now Free Cell Champion
    Join Date
    May 2010
    Location
    Not in Texas
    Posts
    2,148
    Blog Entries
    4
    Thanks
    171
    Thanked 365 Times in 314 Posts
    That only works if the username is also used on the blog.
    EG: hunt for kkD^2*Z say for the username on a blog.
    It won't show up because that username is not used on the blog to post anything.

    Using that url, with the blog domain, it would not show up as it is not used.

    Probably when I set up my blogs, I originally used weird usernames and passwords?

    For sure, just another way to protect your blog.

  8. #6
    Andy101's Avatar
    Andy101 is offline Code Otaku
    Join Date
    Aug 2009
    Location
    Kanazawa
    Posts
    1,314
    Thanks
    178
    Thanked 309 Times in 236 Posts
    Can't you just rename the wp-admin/ directory?
    Otaku CMS - Import a WordPress blog and manage your site using single-page App technology
    Angular Skills - new site about Front-end App. programming

  9. #7
    iowadawg's Avatar
    iowadawg is online now Free Cell Champion
    Join Date
    May 2010
    Location
    Not in Texas
    Posts
    2,148
    Blog Entries
    4
    Thanks
    171
    Thanked 365 Times in 314 Posts
    Tried that renaming one time.
    Have to change so much in other files, folders.

  10. #8
    Andy101's Avatar
    Andy101 is offline Code Otaku
    Join Date
    Aug 2009
    Location
    Kanazawa
    Posts
    1,314
    Thanks
    178
    Thanked 309 Times in 236 Posts
    Tried that renaming one time.
    Have to change so much in other files, folders.
    Hmm, a bad design mistake by the WP programmers IMO. There should be a configuration option for the admin folder.
    Otaku CMS - Import a WordPress blog and manage your site using single-page App technology
    Angular Skills - new site about Front-end App. programming

  11. #9
    SonnyCooL's Avatar
    SonnyCooL is offline HeeHa
    Join Date
    Jan 2010
    Location
    Melb/Malaysia
    Posts
    920
    Thanks
    250
    Thanked 92 Times in 78 Posts
    even i disable new user registration but spam comment and new user state doesn't drop ...
    yes i solve it with firewall but that is costly ....

  12. #10
    TopDogger's Avatar
    TopDogger is online now Über Hund
    Join Date
    Jan 2009
    Location
    Hellfire, AZ
    Posts
    3,107
    Thanks
    350
    Thanked 919 Times in 703 Posts
    Quote Originally Posted by iowadawg View Post
    That only works if the username is also used on the blog.
    EG: hunt for kkD^2*Z say for the username on a blog.
    It won't show up because that username is not used on the blog to post anything.

    Using that url, with the blog domain, it would not show up as it is not used.

    Probably when I set up my blogs, I originally used weird usernames and passwords?

    For sure, just another way to protect your blog.
    It works with any WordPress blog, whether or not the username physically shows up in a blog post. It doesn't work if the username has never been used as the author of a post, but it will reveal any username that has been assigned to a post. It will always reveal the original usernames set up when the user accounts were set up, unless you have gone into the user table and changed the user_nicename column. The article I pointed to shows how it is done. The display_name column is editable on the user editor page, but the user_nicename is not.

    I have used Limit Login Attempts for a couple of years and noticed that recently some hackers were trying to log in with the custom usernames I set up, even though they did not appear on any pages or code used in the blogs. That is when I started digging into it to find out how the names were revealed. This is a security flaw in WordPress.

    Whether you are using the original default 'admin' account or not, if it exists it is a vulnerability. If you have an older blog, it could still be the default administrator account.


    Quote Originally Posted by Andy101 View Post
    Hmm, a bad design mistake by the WP programmers IMO. There should be a configuration option for the admin folder.
    You are correct. Users have been waiting for the WP development team to allow renaming of the wp-admin directory for several years. They seem to be too focused on adding bells and whistles that almost no one uses.
    Last edited by TopDogger; 21 April, 2013 at 15:46 PM.
    "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote." -- Benjamin Franklin


Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •