Defending this script has become my biggest nightmare in the last few months. Black listing mostly works for denial of service from poorly written bots. I blacklist amazon, web hosts, many foreign countries, without hesitation, not just one IP but their whole allocation.
Fail2ban was able to block some portion of these but isn’t very flexible or robust so it often missed the boat.
I’d been struggling to keep my server load at reasonable levels due to the constant barrage of hits. When the bot writers got more clever about number of hits per IP per time these methods quickly failed to stem the tide.
Fortunately the ultimate defense is to require a simple webserver password to access wp-login.php. Implementing the following took my sever load back to normal overnight.
# this blerb should work in a .htaccess file or under a virtual host portion of an apache # config file # # Protect wp-login <Files wp-login.php> AuthUserFile /home/site_name/.htpasswd AuthName "Private access" AuthType Basic require valid-user </Files> #use htpasswd or website tools to create the above .htpasswd file
However many of the wordpress sites on my box use wp-login.php to handle authentication/authorization for private portions of the sites so distributing a second password to all the users didn’t make sense. So a clever use of mod_rewrite was needed for those other sites.
WARNING: You might not be happy if you use the below without adding an additional rule as all your attempts to login will just redirect back to the login page.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-login).php*
RewriteRule (.*) http://%{SERVER_NAME}/$1 [R=301,L]
</IfModule>