Wp-login.php hackers

Dan

Moderator
I don't know about the rest of you but in this last week all of my hosted Wordpress sites have been getting attacked by a large botnet in an attempt to comprimise the sites. And it's been very widespread as this post on WHT shows.

In trying to deal with it I did a number of different things but finally ended up using this by user Etterack (just slightly modified).

I will summarize here for cPanel users (that's what I'm using, sorry) but I am sure that it won't be too difficult to get working for other control panels.

Edit the pre_virtualhost_global.conf:
Code:
pico /usr/local/apache/conf/includes/pre_virtualhost_global.conf
And add this into it:
Code:
<Files wp-login.php>
AuthType basic
AuthName "Human Check - U: human P: check"
AuthBasicProvider file
AuthUserFile /home/.wpadmin
Require valid-user
</Files>
 
<Location /wp-admin>
AuthType basic
AuthName "Human Check - U: human P: check"
AuthBasicProvider file
AuthUserFile /home/.wpadmin
Require valid-user
</Location>
 
ErrorDocument 401 "Authentication required"

Save and exit:
Code:
ctrl+x y
You will also need to create the password file to be used with it:
Code:
/usr/local/apache/bin/htpasswd -bc /home/.wpadmin human check
Then restart Apache and you will be good to go:
Code:
 service httpd restart
What this will do is password protect the wp-login.php file and the wp-admin directory. The login dialog box that comes up will display "Human Check - U: human P: check" right on it so no need to have your users remember another username/pass and it will be serverwide as well so it should be pretty low maintenance.

This should take care of any bot attacks like this and, truth be told, I've actually been dealing with those ever since installing my first Wordpress site not just for this past week.

Hope that helps!

PS: Did you know that you can have a global .htaccess? Just create it in /home (so /home/.htaccess) and it will take effect for all domains hosted! Just a little tidbit I ran across while working on this.
 

KH-Jonathan

Director of Managed Services
Staff member
Dan,

Thanks for this detailed post!

We've definitely been fighting this. It's hit a lot of sites on our network pretty hard since yesterday. There are a few modsec rules we've also had pretty good success with and we're working on something else as well and once we perfect it I'll get it posted up for everyone.
 

Dan

Moderator
Ok this is pretty screwy, I have no idea why there are html tags inside my code tags :|
 

Dan

Moderator
Some of it was copied off another webpage obviously but I didn't put any tags in myself at all, no. Matter of fact on this last edit I put it all into a text editor, stripped it out, then pasted it as plain text and yet...there it is.
 

KH-Jonathan

Director of Managed Services
Staff member
Hmm this is weird. Looks like some sort of bug to me. I just cleaned it up, and it put itself right back there. I'll have to look into this.

EDIT: That was weird, I edited it some more and got it straight. Not sure how that happened but I'll have to look into it.
 

Big Dan

New Member
Hmm this is weird. Looks like some sort of bug to me. I just cleaned it up, and it put itself right back there. I'll have to look into this.

EDIT: That was weird, I edited it some more and got it straight. Not sure how that happened but I'll have to look into it.
XF's editor is a little buggy at times.
 

Dan

Moderator
Dan,

Thanks for this detailed post!

We've definitely been fighting this. It's hit a lot of sites on our network pretty hard since yesterday. There are a few modsec rules we've also had pretty good success with and we're working on something else as well and once we perfect it I'll get it posted up for everyone.
Hey Jonathan,

I'm seeing a pretty good amount of attempts on wp-login.php again here. Any chance you can share what you came up with in regards to this and explain what it does?
 

KH-DanielP

KH-COO
Staff member
Dan,

I'm seeing an uptick across the network for attacks as well. It appears they've modified the attack in a way that a lot of the previous block methods don't work. It does appear that this .htaccess mod appears to be helping block some of them.

Code:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
Just make sure to replace example.com with your domain, it'll lock down and deny direct access without a referrer being sent.
 

Dan

Moderator
Hi Daniel,

So this would need to be put into the .htaccess for each domain. Any way we could get it to work in a global .htaccess dropped into the /home directory?
 
Top