Wp-login.php hackers

Discussion in 'Linux VPS/Dedicated - General' started by Dan, Apr 12, 2013.

  1. Dan

    Dan Moderator

    I don't know about the rest of you but in this last week all of my hosted Wordpress sites have been getting attacked by a large botnet in an attempt to comprimise the sites. And it's been very widespread as this post on WHT shows.

    In trying to deal with it I did a number of different things but finally ended up using this by user Etterack (just slightly modified).

    I will summarize here for cPanel users (that's what I'm using, sorry) but I am sure that it won't be too difficult to get working for other control panels.

    Edit the pre_virtualhost_global.conf:
    Code:
    pico /usr/local/apache/conf/includes/pre_virtualhost_global.conf
    And add this into it:
    Code:
    <Files wp-login.php>
    AuthType basic
    AuthName "Human Check - U: human P: check"
    AuthBasicProvider file
    AuthUserFile /home/.wpadmin
    Require valid-user
    </Files>
     
    <Location /wp-admin>
    AuthType basic
    AuthName "Human Check - U: human P: check"
    AuthBasicProvider file
    AuthUserFile /home/.wpadmin
    Require valid-user
    </Location>
     
    ErrorDocument 401 "Authentication required"

    Save and exit:
    Code:
    ctrl+x y


    You will also need to create the password file to be used with it:
    Code:
    /usr/local/apache/bin/htpasswd -bc /home/.wpadmin human check


    Then restart Apache and you will be good to go:
    Code:
     service httpd restart


    What this will do is password protect the wp-login.php file and the wp-admin directory. The login dialog box that comes up will display "Human Check - U: human P: check" right on it so no need to have your users remember another username/pass and it will be serverwide as well so it should be pretty low maintenance.

    This should take care of any bot attacks like this and, truth be told, I've actually been dealing with those ever since installing my first Wordpress site not just for this past week.

    Hope that helps!

    PS: Did you know that you can have a global .htaccess? Just create it in /home (so /home/.htaccess) and it will take effect for all domains hosted! Just a little tidbit I ran across while working on this.
     
    KH-Jonathan likes this.
  2. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    Dan,

    Thanks for this detailed post!

    We've definitely been fighting this. It's hit a lot of sites on our network pretty hard since yesterday. There are a few modsec rules we've also had pretty good success with and we're working on something else as well and once we perfect it I'll get it posted up for everyone.
     
  3. Dan

    Dan Moderator

    Ok this is pretty screwy, I have no idea why there are html tags inside my code tags :|
     
  4. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    When you created the post did you try coloring things inside of the code tags?

    You can't do that ;)
     
  5. Dan

    Dan Moderator

    Some of it was copied off another webpage obviously but I didn't put any tags in myself at all, no. Matter of fact on this last edit I put it all into a text editor, stripped it out, then pasted it as plain text and yet...there it is.
     
  6. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    Hmm this is weird. Looks like some sort of bug to me. I just cleaned it up, and it put itself right back there. I'll have to look into this.

    EDIT: That was weird, I edited it some more and got it straight. Not sure how that happened but I'll have to look into it.
     
  7. Dan

    Dan Moderator

    Thanks Jonathan! :D
     
  8. Big Dan

    Big Dan New Member

    XF's editor is a little buggy at times.
     
  9. Dan

    Dan Moderator

    Hey Jonathan,

    I'm seeing a pretty good amount of attempts on wp-login.php again here. Any chance you can share what you came up with in regards to this and explain what it does?
     
  10. KH-DanielP

    KH-DanielP KH-COO Staff Member

    Dan,

    I'm seeing an uptick across the network for attacks as well. It appears they've modified the attack in a way that a lot of the previous block methods don't work. It does appear that this .htaccess mod appears to be helping block some of them.

    Code:
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} =POST
    RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
    RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^/wp-admin$
    RewriteRule ^(.*)$ - [R=403,L]
    </IfModule>
    Just make sure to replace example.com with your domain, it'll lock down and deny direct access without a referrer being sent.
     
  11. Dan

    Dan Moderator

    Hi Daniel,

    So this would need to be put into the .htaccess for each domain. Any way we could get it to work in a global .htaccess dropped into the /home directory?
     
  12. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    Big Dan likes this.

Share This Page