wp-login.php brute force attacks

[Richard G]

If you have one user login, you can also create an .htaccess and only allow access to your ip.
You can block access to xmlrpc.php also this way.

 

[doumu]

Blocking with .htaccess rules will end up causing end user frustrations across multiple WP installations.

If IP restricting, you'll have to update every time their dynamic IP changes. You'll have to allow IPs for certain plugins.

.htaccess rules are fine if on your own sites, but potentially more trouble than it's worth for customer sites.

 

[Richard G]

Blocking with .htaccess rules will end up causing end user frustrations across multiple WP installations.

That why I stated "if you have one user login".

For customer sites there are global ways to deny access to xlmprc.php which are to be found on the forums.
There is a build in wp-login bruteforce detection in DA, but it's also very well possible to use a CSF regexp for that if we are talking multiple users and WP installations.

 

[alwaysbusy]

Blocking with .htaccess rules will end up causing end user frustrations across multiple WP installations.

If IP restricting, you'll have to update every time their dynamic IP changes. You'll have to allow IPs for certain plugins.

.htaccess rules are fine if on your own sites, but potentially more trouble than it's worth for customer sites.

Thats why i told already long time ago in that thread, that you only need to block generally the wp-login.php with a simple .htaccess password request, problem solved. But i dont like to repeat it again here ;-) We did this on several hundreds of domains, problem solved.

 

[floyd]

I use fail2ban for this purpose. It works very nicely.

 

[troya]

Thank you for the nice tool.
After installing, redirects are working, but after successful recaptcha, visitor redirected to the home page again and again.
How can i resolve it?

Hello,

Give a reCatcha a try: https://github.com/poralix/reCaptcha2_validation-free or build your own solution based on this

 

[hihiword]

I use fail2ban for this purpose. It works very nicely.

Can you share how to install it for me?

Currently my vps has csf

 

[aitorserra]

I'm also looking for a solution to brute force attacks to wordpress on a multiple sites server. Usually attack, looks like this:



I tried the recaptcha, but it loads the server anyway. Also the MESSENGER from CSF and some regrex rules that worked for some time. Any other ideas?

Thank you.

 

[Richard G]

You might also consider installing a Wordpress firewall plugin.

 

[aitorserra]

Isn't for my site, it's for customers sites hosted on the server.

 

[Richard G]

Yes I know. But customers can do that themselves, I always advise them to do so. Next to the things you can do, a good advise is always a good addition.

 

[aitorserra]

This server was under attack tonight from thousands of IPs, so I need to find a global solution for this problem.

 

[floyd]

I now just rename wp-login.php to something else and rename it back when I need it again. They cannot access it if it doesn't exist.

 

[LawsHosting]

Welcome to WordStress, er, WordPress....... There are plugins to rename the admin directory...... They'll help, the webserver will give 404s - so there is not much CPU usage

 

[Ohm J]

Just enable some blocklist "/etc/csf/csf.blocklists", it's should reduce the server load.
Also I block the country from russia and china, because most bot come from these country.

Most bad IP should be blacklist. But still got the load from the unknow IP.