Preventing Login through Hardening WordPress

  • Resolved frank tredici

    (@frank13)


    9 years, 2 months ago

    I’ve Google’d and implemented a login access firewall to my WPMS networks via the .htaccess directives:

    <Files wp-login.php>
order deny,allow
Deny from all
# allow access from these IP addresses
allow from 123.456.789.012
allow from 987.654.321.098
</Files>

    Does anyone know how or why people still get through and attempt to login? The Sucuri Security plugin continues to alert me of login attempts:

    This email was sent from your website "My WordPress Multisite Network" by the Wordfence plugin at Friday 18th of September 2015 at 01:05:37 PM
    The Wordfence administrative URL for this site is: https://example.com/wp-admin/admin.php?page=Wordfence

    A user with IP address 92.81.164.249 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username 'test' to try to sign in.
    User IP: 92.81.164.249
    User hostname: 92.81.164.249
    User location: Ia?i, Romania

    NOTE: You are using the free version of Wordfence.

    https://www.ads-software.com/plugins/sucuri-scanner/

Viewing 6 replies - 1 through 6 (of 6 total)

  • I’ve noticed the same thing. Have both Files wp-login.php as well as the entire wp-admin directory locked down, but am still getting notices about failed login attempts from IPs not in the allowed range. Testing access to these areas from external IPs show an apache forbidden, so I’m fairly confident the htaccess is set up correctly.

    However, in your case, the email you have listed was generated from Wordfence not Sucuri.

    Thread Starter frank tredici

    (@frank13)

    Oh, ok @gilzow. Thanks for commenting. And you’re right … I tagged the wrong plugin.

    still a completely legitimate question. Just might explain why the plugin author hasn’t responded yet.

    Likely via xmlrpc. That’s where most brute force attempts are happening lately:

    https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html

    thanks!

    @daniel Cid, that’s what I thought too, but I have it blocked as well.

    <Files xmlrpc.php>
order deny,allow
deny from all
</Files>

    ??

    Thread Starter frank tredici

    (@frank13)

    Given the .htaccess method for preventing login attacks does not work in WordPress Multi-site, here is the solution I came up with for anyone wishing to truly button down their WPMS Network:

    Step 1: create a script and upload it to ./wp-content/mu-plugins/. I called my script “loginBlocker.php“.

    Step 2: here is the loginBlocker.php script:

    <?php
/**
 * Plugin Name: WordPress Network Login Access & Control
 * Plugin URI: https://example.com/
 * Description: Login request intercept used on all sites in the network.
 * Version: 1.0
 * Author: F.Tredici
 * Author URI: https://example.com/ftredici/
 * License: GPLU
 */

function loginController_func() {

    $authorizedIPs = array(
        '123.456.789.012', // authorized user #1
        '987.654.321.098' // authorized user #2
    );

    if (!in_array($_SERVER['REMOTE_ADDR'], $authorizedIPs)) {
        wp_redirect( 'https://example.com/', 301 );
        exit;
    }

}
add_action('wp_authenticate', 'loginController_func'); // hook for wp-admin
add_action('login_init', 'loginController_func'); // hook for wp-login all actions
?>

    Step 3: simply add the IP Address(es) for your authorized login sources to the $authorizedIPs array() and you’ll have better “peace” of mind.

    Good luck and happy hacker-blocking.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Preventing Login through Hardening WordPress’ is closed to new replies.