Dan
Moderator
I don't know about the rest of you but in this last week all of my hosted Wordpress sites have been getting attacked by a large botnet in an attempt to comprimise the sites. And it's been very widespread as this post on WHT shows.
In trying to deal with it I did a number of different things but finally ended up using this by user Etterack (just slightly modified).
I will summarize here for cPanel users (that's what I'm using, sorry) but I am sure that it won't be too difficult to get working for other control panels.
Edit the pre_virtualhost_global.conf:
And add this into it:
Save and exit:
You will also need to create the password file to be used with it:
Then restart Apache and you will be good to go:
What this will do is password protect the wp-login.php file and the wp-admin directory. The login dialog box that comes up will display "Human Check - U: human P: check" right on it so no need to have your users remember another username/pass and it will be serverwide as well so it should be pretty low maintenance.
This should take care of any bot attacks like this and, truth be told, I've actually been dealing with those ever since installing my first Wordpress site not just for this past week.
Hope that helps!
PS: Did you know that you can have a global .htaccess? Just create it in /home (so /home/.htaccess) and it will take effect for all domains hosted! Just a little tidbit I ran across while working on this.
In trying to deal with it I did a number of different things but finally ended up using this by user Etterack (just slightly modified).
I will summarize here for cPanel users (that's what I'm using, sorry) but I am sure that it won't be too difficult to get working for other control panels.
Edit the pre_virtualhost_global.conf:
Code:
pico /usr/local/apache/conf/includes/pre_virtualhost_global.conf
And add this into it:
Code:
<Files wp-login.php>
AuthType basic
AuthName "Human Check - U: human P: check"
AuthBasicProvider file
AuthUserFile /home/.wpadmin
Require valid-user
</Files>
<Location /wp-admin>
AuthType basic
AuthName "Human Check - U: human P: check"
AuthBasicProvider file
AuthUserFile /home/.wpadmin
Require valid-user
</Location>
ErrorDocument 401 "Authentication required"
Save and exit:
Code:
ctrl+x y
You will also need to create the password file to be used with it:
Code:
/usr/local/apache/bin/htpasswd -bc /home/.wpadmin human check
Then restart Apache and you will be good to go:
Code:
service httpd restart
What this will do is password protect the wp-login.php file and the wp-admin directory. The login dialog box that comes up will display "Human Check - U: human P: check" right on it so no need to have your users remember another username/pass and it will be serverwide as well so it should be pretty low maintenance.
This should take care of any bot attacks like this and, truth be told, I've actually been dealing with those ever since installing my first Wordpress site not just for this past week.
Hope that helps!
PS: Did you know that you can have a global .htaccess? Just create it in /home (so /home/.htaccess) and it will take effect for all domains hosted! Just a little tidbit I ran across while working on this.