I’m currently trying to tighten the security for a website which is running on wordpress (seperate installation, not on wordpress.org / .com). I have installed Wordfence which blocks all IPs which try to use a invalid user name instantly which works quite well (some 200+ blocked IPs / day).
Since our ISP is giving out hostnames like
www-xxx-yyy-zzz.my.isp.tld
and there are no users which need log in besides me I thought I would add some way to further prevent brute-force attacks.
The WP Codex has a section about preventing access to wp-login.php for anyone who’s not submitting it the form. In my eyes this should get rid of any scripts which try to brute force their way in like:
www.mydomain.tld/wp-admin.php?log=admin&pwd=alex
Now for anyone submitting the form this wouldn’t work, so I added a part to the top of wp-login.php which would check for the host name and then re-direct if it doesn’t match our ISP:
<?PHP
if (strpos(gethostbyaddr($_SERVER['REMOTE_ADDR']),'my.isp.tld') == false) {
header('Location: http://www.google.com/');
}
?>
I checked it and this piece is working fine as well, when I try to access wp-login.php over my mobile it throws me back to Google, additionally I get an e-mail when somebody tries this. So far it’s only been 3-4 login attempts I prevented using this method.
Now from my perspective I’ve taken care of all things, but Wordfence will still send me notifications about blocked log-in attempts.
To see if it helps, I’ve added the following to the .htaccess file which is in the main WordPress folder, which, to my understanding, should deny all access except when coming from my ISP:
<Files "wp-login.php">
order deny,allow
allow from my.isp.tld
</Files>
Still the e-mails come flying in. Now the question is:
Is there any other way to call wp-login.php in order to try to login which I haven’t tought of? It seems that there are still ways which can be used which are not part of the scenarios mentioned above.
Any ideas, comments etc. are greatly appreciated.
So long
You could password protect the wp-admin directory and/or wp-login.php with htaccess:
https://codex.wordpress.org/Brute_Force_Attacks#Password_Protect_wp-login.php
Doing this would require two levels of login–once at a server-level via popup, and again at the WordPress level.
We generally only password protect the wp-admin, but this still leaves wp-login.php accessible for attempts (though even if someone is able to login to WordPress, they still won’t be able to access anything within the wp-admin directory without logging in there). In other words, you’ll probably be safe, but you’ll still see the attempts being made.
There are also lots of other useful things you can do to harden WP, detailed here:
http://codex.wordpress.org/Hardening_WordPress
Some are easy to do on an existing install, and some require a bit more work. But I feel that password protecting wp-admin/wp-login.php is probably the easiest thing you could do that would give you the best results.