Skip to main content

.htaccess for entire /home to stop wp-login.php bruteforce ...feasible?

qwerty
Like for many others, our cpanel servers are getting hammered day in day out with wp-login.php login attempts. Not on such a huge scale that they're causing trouble but I worry without any restrictions they're bound to brute force their way in to some of the customers' wordpress blogs. This is NOT about mod_security - I am aware there are rules out there, but from what I've read they're either easily circumvented or create more issues then they solve. What I had in mind was... putting a .htaccess in /home directly and specify directives in it such that whenever someone attempts to access wp-login.php anywhere under /home/ - they're subjected to a list of allowed IPs. I can email my customers and get their static IPs to add to the list so that they're able to access wp-login.php Is this feasible? What possible issues could I run into? Does Wordpress use wp-login.php for anything other than ADMIN login ... ie. do normal 'users' also use this script? (if so, then this would be a non-workable solution)

Comments

2 comments

Date Votes
  • Infopro
    You might find more help with questions like this on the wordpress support site. This link should be helpful, it mentions ideas like yours here: /http://codex.wordpress.org/Hardening_WordPress [QUOTE]This is NOT about mod_security - I am aware there are rules out there, but from what I've read they're either easily circumvented or create more issues then they solve.
    Disagree. You can never have too much security.
    0
  • quizknows
    Yes, this would work (a .htaccess in /home) but it's a lot of work to manage. And yes, normal users, not just admins, use wp-login.php. I've used modsecurity successfully to defend WP brutes on over 10,000 servers. simply put, it works. Most of the new brute forces are using the xmlrpc.php call anyway, not wp-login. I'm also defending against the xmlrpc.php brutes with modsecurity very successfully. [url=http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html]New Brute Force Attacks Exploiting XMLRPC in WordPress | Sucuri Blog
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post