random linux notes
random linux notes

wp-login.php

wp-login.php

randomNovember 4, 2015 0 Comments

Defending this script has become my biggest nightmare in the last few months. Black listing mostly works for denial of service from poorly written bots. I blacklist amazon, web hosts, many foreign countries, without hesitation, not just one IP but their whole allocation.

Fail2ban was able to block some portion of these but isn’t very flexible or robust so it often missed the boat.

I’d been struggling to keep my server load at reasonable levels due to the constant barrage of hits. When the bot writers got more clever about number of hits per IP per time these methods quickly failed to stem the tide.

Fortunately the ultimate defense is to require a simple webserver password to access wp-login.php. Implementing the following took my sever load back to normal overnight.

# this blerb should work in a .htaccess file or under a virtual host portion of an apache
# config file
#
# Protect wp-login
<Files wp-login.php>
AuthUserFile /home/site_name/.htpasswd
AuthName "Private access"
AuthType Basic
require valid-user
</Files>
#use htpasswd or website tools to create the above .htpasswd file

However many of the wordpress sites on my box use wp-login.php to handle authentication/authorization for private portions of the sites so distributing a second password to all the users didn’t make sense. So a clever use of mod_rewrite was needed for those other sites.

WARNING: You might not be happy if you use the below without adding an additional rule as all your attempts to login will just redirect back to the login page.

<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} POST
        RewriteCond %{REQUEST_URI} .(wp-login).php*
        RewriteRule (.*) http://%{SERVER_NAME}/$1 [R=301,L]
</IfModule>
.htaccess, .htpasswd, blacklist, fail2ban, mod_rewrite, wordpress, wp-login.php

Tags

.htaccess 18.04 20.04 after the fact bash canon centos6 dell djbdns dnscache grub2 julia kickstart linux localhost LTS luks mysql nvidia out of memory postgres post install qmail raid screen slow boot ssh ubuntu ubuntu 12.04 ubutnu unable to boot after update unable to update update usb vps whole disk encryption wordpress wrt xapi xcp xe xen xenserver 6.5 xenserver 7.0 xva

Recent Posts

  • uniq -f (ignore first n fields – or with rev last n fields)
  • lineageOS 20.0 TheMuppets blueline roomservice.xml
  • dynamic/live search box with php, javascript, mysql
  • nominatim php-intl error message Class Transliterator not found code 0
  • Ubuntu apt spam

Recent Comments

  • djbdns dnscache | random linux notes on new vps with centos 6 for tinydns secondary
  • oldirtdog on grub2 help for kernel upgrade on Ubuntu 12.04 domU on XCP

Archives

  • February 2023
  • January 2023
  • November 2022
  • July 2022
  • April 2022
  • November 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • February 2021
  • January 2021
  • November 2020
  • October 2020
  • August 2020
  • June 2020
  • February 2020
  • August 2019
  • July 2019
  • May 2019
  • December 2016
  • September 2016
  • June 2016
  • May 2016
  • April 2016
  • December 2015
  • November 2015
  • April 2015
  • March 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • July 2014
  • September 2013
  • June 2013
  • May 2013
  • September 2012
  • July 2012

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
© 2023 random linux notes. All rights reserved.
Flato by ThemeMeme