Lately this blog has been targeted by many attackers varying from brute force attacks to D-DOS. Although I couldn’t do much about DDOS (servers provider takes care of that), I was able to mitigate the brute forcing attacks on my wordpress. I’ve been using this trick for a while and it keeps bad guys away from my wp sensitive pages.

First let me share with you a snippet from my logs. (I know you love these 😛 )

Yep that is a 4167 attempts to penetrate wp-login.php form. Fortunately I know this was coming so after installation I simply created a filter using Apache .htaccess to filter out all connection to wp-login.php and wp-admin/ except the one coming from my IP address!

If these attacks were coming from a single IP, this can be easily mitigated by blocking that single IP address using iptables -A INPUT -s #that-IP-addr# -j DROP command, but unfortunately this is not the case.

The best way, I think, is to protect both files (folders) with .htacess rules as follow:

at root / folder I have:
<files "wp-login.php"="">
order deny,allow
deny from all
allow from ##.##.##.## #your IP address obviously..

then at wp-admin/ folder I have:
order deny,allow
deny from all
allow from ##.##.##.## #your IP address obviously..
order deny,allow
deny from all

Why will this work I hear you asking?
For a brute force attempt to be successful the attacker has to achieve a full syn-ed connection, which means he/she cannot spoof IP address because in that case no reply will be received.
This will keep all the bots, and opportunistic attackers away facing a 403 page (install an exploit on it? or track them? 😉 )

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">