Many, many attempts to hack login.php

Technically, you can block not only a single IP, but even the whole country of your choice by using a simple code placed in .htaccess file.

There are many tutorials online.

Thanks. Yes, I’ve read those tutorials and even put their suggested code(s) into my .htaccess file, but they don’t seem to work. I have deny orders for specific ip addresses, yet those same address still show up in server logs.

There was an excellent discussion about site security started by a good question on wp-hackers back in July where Otto made the point that security cannot be automated, and more importantly, should not be and should not attempted. It requires an active administrator enforcing a strong password policy, among other things.

Here’s a link to the discussion: https://lists.automattic.com/pipermail/wp-hackers/2012-July/043638.html

What came out of it, and what I recommended to my clients the next day, was to install Limit Login Attempts. You can take that a step further and remove the ‘admin’ username itself too. But a few hundred requests to login everyday shouldn’t be the tipping point for your server. If it is, that is an entirely different discussion.

Thanks, Andrew! For quite some time already I’ve had Limit Login Attempts in place, I do not use ‘Admin’ as the user name, and my login password is extremely strong, too. So maybe I’m just overly concerned unnecessarily.

Yesterday, for example, one ip address (according to server stats) logged 23 hours. You probably have lots more experience than I do, so if you don’t feel that much server time or a few hundred page requests from the same ip is a problem, then I won’t worry about it.

Thanks again. I appreciate the feedback.

I worry about it constantly and wake up in the middle of the night, but I’m weird.

If an IP displays a particular… obsessiveness, shall we say, I tend to step it up into apache administration and drop the ban hammer. But realistically, anyone who is running a shop in eastern Europe (my biggest problem area), is not going to be stopped by having an ip blocked. However, it will discourage an otherwise determined non-technical user.

Most of my bothersome ip addresses are in Russia and, to a somewhat lesser degree, China. And one ip in particular is becoming quite insistent.

What do you mean by going into apache administration and dropping the ban hammer?

https://www.htaccess-guide.com/deny-visitors-by-ip-address/

Thanks, esmi…

I began using that method over a year ago. I still use it and it still works for the most part but, apparently, there is a way determined hackers can get around that. Even though I have denied (many) specific ip addresses with .htaccess, some of them still show up on my server logs.

That’s what is frustrating to me.

@mikeharrison: if you have no legit visitors from russia, you can block the whole country: https://ipinfodb.com/ip_country_block.php

Thanks, songdogtech…

Yes, I’ve had a long block of Russian ip addresses (plus Korea and China) in my htaccess file for a while, and I had just added more from the site you linked to a few minutes ago.

I appreciate your help!

@andrew Bartel…

That insistent Russian ip address is receiving ‘403’ errors, but yesterday alone, it made 1,014 attempts to access the login page.

Your thoughts?

Thanks!

It’s a poorly written bot that doesn’t know the difference between a 403 and a rendering of the login page and to quit trying the page. You’ve blocked it; now you have to ignore it.

In addition,

Are you the only person that needs to log in to your site? If so, you can block access to wp-login.php with .htaccess as well via whitelisting.

While this doesn’t work as well for dynamic IP addresses you could still limit it to Class C’s, B’s, or A’s and it will still give some protection.

RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.123$
RewriteRule ^wp-login\.php https://example.com [R,L]

Where example.com is your domain.

Where 123.456.789.123 is your IP
You can adjust it to Class C’s like so:
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.

Or Class B:
RewriteCond %{REMOTE_ADDR} !^123\.456\.

Or Class A:
RewriteCond %{REMOTE_ADDR} !^123\.

Hi I am newbie to this, so I hope you guys can be patient with me.

Shouldn’t the task of handling the hackers be dealt with by the webhost?

@ compositelitmus

Not from the HTTP protocol. From that aspect it’s basically your site. They try to provide support there as well, but then you come into usability, so from the HTTP protocol it’s basically your responsibility.