How to deal with endless bot hits on wp-login.php

Kaz Wolfe

Well-known member
Registered
Joined
Jul 7, 2016
Messages
604
Points
28
When I view log file for my Wordpress site, there has so many records that showing bots trying to hit my my wp-login.php. Is there a way to secure wp-login.php. I would appreciate any opinions on this.
 

VirtuBox

Well-known member
Registered
Joined
May 3, 2016
Messages
1,622
Points
83
If you are using Nginx, here the settings for wordpress :

Code:
# Limit access to avoid brute force attack
location = /wp-login.php {
  limit_req zone=one burst=1 nodelay;
  include fastcgi_params;
  fastcgi_pass php;
}
# Disable wp-config.txt
location = /wp-config.txt {
  deny all;
  access_log off;
  log_not_found off;
}
# Disallow php in upload folder
location /wp-content/uploads/ {
  location ~ \.php$ {
    #Prevent Direct Access Of PHP Files From Web Browsers
    deny all;
  }
}
# Yoast sitemap
location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ {
  rewrite ^/sitemap\.xml$ /sitemap_index.xml permanent;
  rewrite ^/([a-z]+)?-?sitemap\.xsl$ /index.php?xsl=$1 last;
  # Rules for yoast sitemap with wp|wpsubdir|wpsubdomain
  rewrite ^.*/sitemap_index\.xml$ /index.php?sitemap=1 last;
  rewrite ^.*/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
  # Following lines are options. Needed for WordPress seo addons
  rewrite ^/news_sitemap\.xml$ /index.php?sitemap=wpseo_news last;
  rewrite ^/locations\.kml$ /index.php?sitemap=wpseo_local_kml last;
  rewrite ^/geo_sitemap\.xml$ /index.php?sitemap=wpseo_local last;
  rewrite ^/video-sitemap\.xsl$ /index.php?xsl=video last;
  access_log off;
}
 

tlhIngan

Member
Registered
Joined
Jul 12, 2016
Messages
49
Points
8
When I view log file for my Wordpress site, there has so many records that showing bots trying to hit my my wp-login.php. Is there a way to secure wp-login.php. I would appreciate any opinions on this.
File or folder protect with password is a good way to stop malicious login attempts

If you are using Nginx, here the settings for wordpress :

Code:
# Limit access to avoid brute force attack
location = /wp-login.php {
  limit_req zone=one burst=1 nodelay;
  include fastcgi_params;
  fastcgi_pass php;
}
# Disable wp-config.txt
location = /wp-config.txt {
  deny all;
  access_log off;
  log_not_found off;
}
# Disallow php in upload folder
location /wp-content/uploads/ {
  location ~ \.php$ {
    #Prevent Direct Access Of PHP Files From Web Browsers
    deny all;
  }
}
# Yoast sitemap
location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ {
  rewrite ^/sitemap\.xml$ /sitemap_index.xml permanent;
  rewrite ^/([a-z]+)?-?sitemap\.xsl$ /index.php?xsl=$1 last;
  # Rules for yoast sitemap with wp|wpsubdir|wpsubdomain
  rewrite ^.*/sitemap_index\.xml$ /index.php?sitemap=1 last;
  rewrite ^.*/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
  # Following lines are options. Needed for WordPress seo addons
  rewrite ^/news_sitemap\.xml$ /index.php?sitemap=wpseo_news last;
  rewrite ^/locations\.kml$ /index.php?sitemap=wpseo_local_kml last;
  rewrite ^/geo_sitemap\.xml$ /index.php?sitemap=wpseo_local last;
  rewrite ^/video-sitemap\.xsl$ /index.php?xsl=video last;
  access_log off;
}
Nice codes but if I am using other OS, there is a way to do it with a plugin or a simpler way?
 

WPCycle

Well-known member
Hosting Provider
Registered
Joined
Dec 31, 2016
Messages
123
Points
18
WPCycle
The best option is to find out the equivalent codes to the OS you're using. Blocking traffic is more effective from the server before it goes to PHP or MySqL. Doing it from a plugin then requires PHP processes to block the traffic, and jams the tables with information related to those blocks.
 
Last edited by a moderator:

VirtuBox

Well-known member
Registered
Joined
May 3, 2016
Messages
1,622
Points
83
You can do the same with Apache using the .htaccess.
But that's also why I prefer to use nginx with 1 .conf file / domain instead of thousands of .htaccess
 

Kaz Wolfe

Well-known member
Registered
Joined
Jul 7, 2016
Messages
604
Points
28
Kaz Wolfe
Using Apache as my web server, I am going to move to nginx because it has better performance than Apache.

Code:
/etc/nginx/nginx.conf
Is this the location of .conf file which you mentioned to?
 

Nixtree

Well-known member
Registered
Joined
Jul 16, 2016
Messages
133
Points
28
For Apache, I will suggest Modsec rules and for nginx , the method virtubox given will be perfect !!
 

Kaz Wolfe

Well-known member
Registered
Joined
Jul 7, 2016
Messages
604
Points
28
Kaz Wolfe
Can you share Modsec rules for Apache? I would give it a try if it really has a difference.
 

Laurence Flynn

Well-known member
Registered
Joined
Dec 31, 2016
Messages
92
Points
8
Last edited by a moderator:

Kaz Wolfe

Well-known member
Registered
Joined
Jul 7, 2016
Messages
604
Points
28
Kaz Wolfe
Whoops I didn't check your link, rarely check links if its not related to my question.
btw, it's blocking bots using htaccess file, I thought I can do that on my hosting panel with some clicks.
If using this way, I would block directly wp-login.php by htaccess, it is more easier and convenient.

For example

Code:
<Files "wp-login.php">
order allow,deny
deny from all
Allow from myy.ipp.add.res
</Files>
 

Laurence Flynn

Well-known member
Registered
Joined
Dec 31, 2016
Messages
92
Points
8
Absolutely mod_security. Here are some resources:

https://www.andreapernici.com/wordpress-brute-force-attacks-lock-modsecurity/
http://honeyco.nyc/blog/prevent-brute-force-login-on-wordpress/

In /etc/httpd/conf/modsecurity.d/ this is our wp-login.conf:

Code:
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:1
<Location /wp-login.php>
SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:2"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,log,pass,setvar:ip.bf_counter=0,id:3"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,log,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:4"
SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</location>
You should also protect xml-rpc.php. Again, some resources:

http://alzabo.io/modsecurity/2014/09/15/wordpress-xml-rpc-brute-force.html

https://gist.github.com/arg0sy/20a85ce5187d9dfc159b

Our xml-rpc.conf:

Code:
ecDataDir /tmp

SecResponseBodyAccess On
SecResponseBodyLimitAction ProcessPartial
SecResponseBodyMimeType text/xml

# SecStreamInBodyInspection requires ModSecurity 2.6.0 or greater
SecStreamInBodyInspection On

SecAction "phase:1,nolog,pass,id:19300,\
    initcol:ip=%{REMOTE_ADDR}"

<FilesMatch "xmlrpc.php">
    SecRule RESPONSE_BODY "faultString" "id:19301,nolog,phase:4,\
        t:none,t:urlDecode,setvar:ip.xmlrpc_bf_counter=+1,\
        deprecatevar:ip.xmlrpc_bf_counter=1/300,pass"

    SecRule STREAM_INPUT_BODY "<methodCall>wp\." "id:19302,log,chain,\
        deny,status:406,phase:4,t:none,t:urlDecode,\
        msg:'Temporary block due to multiple XML-RPC method call failures'"

    SecRule ip:xmlrpc_bf_counter "@gt 4" "t:none,t:urlDecode,\
        t:removeWhitespace
</FilesMatch>
Hope this helps.
 

Laurence Flynn

Well-known member
Registered
Joined
Dec 31, 2016
Messages
92
Points
8
Yep, if using standard shared hosting you have to use .htacess. But your host should have the mod_sec rules in place or something similar.
 

Danami

New member
Registered
Joined
Mar 11, 2017
Messages
2
Points
0

Dr. McKay

Well-known member
Registered
Joined
Nov 26, 2016
Messages
565
Points
28
Dr. McKay
This way seems pretty complex, I would like to use password protect your WordPress admin or wp-login.php with .htaccess. I am using this way for my Wordpress sites and it is effective.
 

LJSHost

Well-known member
Hosting Provider
Registered
Joined
Jul 5, 2016
Messages
1,031
Points
63
This is big problem for any hosting provider. I deal with many cases of this daily along with XMLRPC attacks, which do eat a decent amount of CPU and if left unchecked overtime will dominate all resources on the account/server. I use a script which monitors Apache logs and mails me when triggers happen. A simple alternative is just to use the watch command with apache status and a grep -v you can clearly see all the bot attacks on wp-login.php and xmlrpc.

It's just a simple matter of blocking them at the firewall.

Code:
106.75.85.203
96.10.116.230
155.133.82.12
95.39.39.126
195.154.250.118
195.154.250.248
108.175.2.210
91.102.224.83
91.200.12.53
195.154.250.216
182.255.0.60
37.59.110.98
2.50.32.153
195.154.241.166
62.210.188.86
199.15.233.168
199.15.233.162
114.108.150.159
61.19.112.28
197.253.1.252
94.23.250.199
195.154.226.186
173.208.157.186
185.13.224.189
43.228.128.187
103.215.83.39
199.15.233.170
91.197.232.109
130.211.177.25
199.15.233.147
46.4.133.5
14.1.30.27
74.208.86.223
51.254.215.108
138.197.124.33
195.154.183.190
62.210.88.4
125.209.122.46
84.255.248.64
196.3.88.149
93.186.254.98
104.131.228.134
149.156.173.214
195.154.232.138
177.220.137.198
195.154.178.53
91.200.12.103
186.208.1.235
156.67.106.211
137.74.20.93
176.31.106.171
80.122.108.46
51.15.138.215
199.15.233.142
47.90.55.236
61.41.4.26
181.39.89.146
203.154.220.132
124.124.214.44
181.143.230.53
91.200.12.15
217.70.32.3
Here is our repeat offenders for xmlrpc and wp-login since Feb 1st if any if you want to add these to your firewall :)

As others have said many different solutions exist for this problem and they all work good
 

LJSHost

Well-known member
Hosting Provider
Registered
Joined
Jul 5, 2016
Messages
1,031
Points
63
As a hosting company we cannot rely on customers to take the correct security actions. WordPress is a customer application that we have nothing to do with the management of but like I said in my previous post these attacks have to be dealt with asap as the do create server load. I've had whole CPU cores eaten up by huge amounts of brute force on many sites.
 

rankmyhub

Well-known member
Registered
Joined
Feb 14, 2017
Messages
193
Points
18
If you want plugin based solution, i would recommend

https://wordpress.org/plugins/wp-simple-firewall/

Install their free version on wordpress.org it does a good job and hardens most parts of wordpress. You can even implement CSP, Secure Headers and other things right from the plugin.

Hope this helps you. Thanks
 

Dewlance

Well-known member
Hosting Provider
Registered
Joined
Dec 20, 2014
Messages
114
Points
18
Best option is allow from your IP and deny access from everyone using .htaccess file in wp-admin folder.

Other option is referral checker which will not allow direct access to wp-login.php
 
Older Threads

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top