Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Wordpress Security Help!
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Wordpress Security Help!

wohelwohel Member

Hi, recently I saw a person trying to bruteforce login into my Wordpress site but without nay luck. I have already setup Wordfence and blocking his ip range (although He uses a VPN to attack from different locations). I have 2FA and Cloudflare DDOS Protection. Also I turned off XML-RPC authentication because he tried to login with that. Now, he is using Smrush, google bot and Bingbot to crawlto my site. Can someone please guide me that is it enough or what else can I do to make it more secure. Also, is there a way to block those Bots. I am confused that what is he trying to do by crawling when I have password protected my whole site (I did this not because of fearing him but because my site is under development and I do not want any traffic Right Now). The links he visit are strange like mysite/vu5p2/etc.html and also mysite/wp-cron?doing_wp_cron=12345.
Any suggestion will be Appreciated.
Regards.

«1

Comments

  • LeviLevi Member

    Fail2ban. Limit access to admin from ip. If attack is targeted nothing will help except going offline.

    Thanked by 1wohel
  • Sucuri

    Thanked by 1wohel
  • wohelwohel Member
    edited May 2020

    @LTniger said:
    Fail2ban. Limit access to admin from ip. If attack is targeted nothing will help except going offline.

    Thanks for your Reply! But is Fail2ban not only for SSH? How can I configure it for Wordpress?

  • LeonDynamicLeonDynamic Member
    edited May 2020

    Is it your server or are you using shared hosting?

  • rcy026rcy026 Member

    If the site is not public and you dont want any traffic, simple block everything but your own ip or run the webserver on a non-standard port.

  • Ninja firewall - disable rest api , xml-rpc , php upload in media folder, limit login , captcha login on wp-login

  • wohelwohel Member

    @LeonDynamic said:
    Is it your server or are you using shared hosting?

    My own DO Ubuntu 18.04 Droplet.

  • wohelwohel Member

    @webclouddev said:
    Ninja firewall - disable rest api , xml-rpc , php upload in media folder, limit login , captcha login on wp-login

    I am currently using Wordfence and uptil now I am satisfied with it as the Logs show. I might try Sucuri as it has a good fan base.

  • wohelwohel Member

    @rcy026 said:
    If the site is not public and you dont want any traffic, simple block everything but your own ip or run the webserver on a non-standard port.

    I use Litespeed Ent and for the Long Term I wanted to password-protect my wp-admin page also but I tried to many solutions on Google however it only works for Apache. If you could Help me with that and I have a Dynamic IP so can not use the method you provided. :)

  • @wohel Do you use any kind of firewall on the server level such as CSF? It's better to block at server level than using Wordfence.

    You can limit access to wp-admin using .htaccess rules. Add this (change the IP 123.123.123.121) to .htaccess root level. Dynamic IP is fine but you will need to change when the IP address changes. Alternatively setup a VPN and only use that IP to access wp-admin.

    # BLOCK WP-ADMIN ACCESS
    RewriteEngine on 
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] 
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ 
    RewriteCond %{REMOTE_ADDR} !^123.123.123.121$ 
    RewriteCond %{REMOTE_ADDR} !^123.123.123.122$ 
    RewriteCond %{REMOTE_ADDR} !^123.123.123.123$ 
    RewriteRule ^(.*)$ – [R=403,L]

    Anyone who tries to access wp-login.php or wp-admin will be served a 403 error page.

    Thanked by 1wohel
  • wohelwohel Member

    I only have DO Web Firewall setup.

  • wohelwohel Member

    @LeonDynamic said:
    @wohel Do you use any kind of firewall on the server level such as CSF? It's better to block at server level than using Wordfence.

    You can limit access to wp-admin using .htaccess rules. Add this (change the IP 123.123.123.121) to .htaccess root level. Dynamic IP is fine but you will need to change when the IP address changes. Alternatively setup a VPN and only use that IP to access wp-admin.

    # BLOCK WP-ADMIN ACCESS
    > RewriteEngine on 
    > RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] 
    > RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ 
    > RewriteCond %{REMOTE_ADDR} !^123.123.123.121$ 
    > RewriteCond %{REMOTE_ADDR} !^123.123.123.122$ 
    > RewriteCond %{REMOTE_ADDR} !^123.123.123.123$ 
    > RewriteRule ^(.*)$ – [R=403,L]

    Anyone who tries to access wp-login.php or wp-admin will be served a 403 error page.

    As far as I can Remember I tried it and it did not work. Anyways Thanks! I will surely check that again if I am lucky.

  • AK_KWHAK_KWH Member, Patron Provider

    Hide WP Login Page (change url)
    Add Cloudflare and enable DDOS protection :) (bots )

  • wohelwohel Member
    edited May 2020

    @AK_KWH said:
    Hide WP Login Page (change url)
    Add Cloudflare and enable DDOS protection :) (bots )

    Tried to Hide it but I don't know why it broke my site so, reverted back.

  • @wohel said:

    @LeonDynamic said:
    @wohel Do you use any kind of firewall on the server level such as CSF? It's better to block at server level than using Wordfence.

    You can limit access to wp-admin using .htaccess rules. Add this (change the IP 123.123.123.121) to .htaccess root level. Dynamic IP is fine but you will need to change when the IP address changes. Alternatively setup a VPN and only use that IP to access wp-admin.

    # BLOCK WP-ADMIN ACCESS
    > > RewriteEngine on 
    > > RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] 
    > > RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ 
    > > RewriteCond %{REMOTE_ADDR} !^123.123.123.121$ 
    > > RewriteCond %{REMOTE_ADDR} !^123.123.123.122$ 
    > > RewriteCond %{REMOTE_ADDR} !^123.123.123.123$ 
    > > RewriteRule ^(.*)$ – [R=403,L]

    Anyone who tries to access wp-login.php or wp-admin will be served a 403 error page.

    As far as I can Remember I tried it and it did not work. Anyways Thanks! I will surely check that again if I am lucky.

    It does work give it a go. I use it myself on Litespeed, OpenLitespeed and Apache.

  • AK_KWHAK_KWH Member, Patron Provider

    @wohel said:

    @AK_KWH said:
    Hide WP Login Page (change url)
    Add Cloudflare and enable DDOS protection :) (bots )

    Tried to Hide it but I don't know why it broke my site so, reverted back.

    have you tired to clear cache of website ?

  • wohelwohel Member
    edited May 2020

    @AK_KWH said:

    @wohel said:

    @AK_KWH said:
    Hide WP Login Page (change url)
    Add Cloudflare and enable DDOS protection :) (bots )

    Tried to Hide it but I don't know why it broke my site so, reverted back.

    have you tired to clear cache of website ?

    Yup! I used a plugin to change the address.

  • wohelwohel Member

    @LeonDynamic said:

    @wohel said:

    @LeonDynamic said:
    @wohel Do you use any kind of firewall on the server level such as CSF? It's better to block at server level than using Wordfence.

    You can limit access to wp-admin using .htaccess rules. Add this (change the IP 123.123.123.121) to .htaccess root level. Dynamic IP is fine but you will need to change when the IP address changes. Alternatively setup a VPN and only use that IP to access wp-admin.

    # BLOCK WP-ADMIN ACCESS
    > > > RewriteEngine on 
    > > > RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] 
    > > > RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ 
    > > > RewriteCond %{REMOTE_ADDR} !^123.123.123.121$ 
    > > > RewriteCond %{REMOTE_ADDR} !^123.123.123.122$ 
    > > > RewriteCond %{REMOTE_ADDR} !^123.123.123.123$ 
    > > > RewriteRule ^(.*)$ – [R=403,L]

    Anyone who tries to access wp-login.php or wp-admin will be served a 403 error page.

    As far as I can Remember I tried it and it did not work. Anyways Thanks! I will surely check that again if I am lucky.

    It does work give it a go. I use it myself on Litespeed, OpenLitespeed and Apache.

    Hey Thanks! It works Now. :)

    Thanked by 1LeonDynamic
  • wohelwohel Member

    @wohel said:

    @LeonDynamic said:

    @wohel said:

    @LeonDynamic said:
    @wohel Do you use any kind of firewall on the server level such as CSF? It's better to block at server level than using Wordfence.

    You can limit access to wp-admin using .htaccess rules. Add this (change the IP 123.123.123.121) to .htaccess root level. Dynamic IP is fine but you will need to change when the IP address changes. Alternatively setup a VPN and only use that IP to access wp-admin.

    # BLOCK WP-ADMIN ACCESS
    > > > > RewriteEngine on 
    > > > > RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] 
    > > > > RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ 
    > > > > RewriteCond %{REMOTE_ADDR} !^123.123.123.121$ 
    > > > > RewriteCond %{REMOTE_ADDR} !^123.123.123.122$ 
    > > > > RewriteCond %{REMOTE_ADDR} !^123.123.123.123$ 
    > > > > RewriteRule ^(.*)$ – [R=403,L]

    Anyone who tries to access wp-login.php or wp-admin will be served a 403 error page.

    As far as I can Remember I tried it and it did not work. Anyways Thanks! I will surely check that again if I am lucky.

    It does work give it a go. I use it myself on Litespeed, OpenLitespeed and Apache.

    Hey Thanks! It works Now. :)

    @LeonDynamic Hi, Sorry for the Late Reply I had just found out that this configuration also shows 403 Error to the IP I added :( . I also restarted Litespeed. What could be the Reason behind it?

  • It's usually a best practice for WordPress to lock wp-login.php and /wp-admin behind an ip white list. Apache/(Open)Litespeed you can do this with a htaccess file and for Nginx you can do it in the config file.

  • @wohel Are you sure the IPv4 address is correct and are you using IPv6, if so add that address as well. The htaccess rule should work out of the box.

  • JarryJarry Member

    I'd let it be, just monitoring, but pretending I know nothing about it. If you have 2FA or strong passwords and properly secured/updated site, you are safe. Let him play this bruteforce-game he can not win. I'd only activate progressive rate-limiting for l/p so it does not cause problems for regular users.

    If you start taking active defensive countermeasures (like null-routinig his botnet's IPs on your interface), he might notice it and ddos your site (much easier to do than bruteforce l/p). Then you'd have really big problem...

  • imokimok Member

    You are describing the most usual attacks targeting Wordpress. Are you sure this is a single person?

    For me, everyday CSF is blocking requests and IPs because of this.

    wohel said: Now, he is using Smrush, google bot and Bingbot to crawlto my site

    Are you sure this is not legitimate traffic?

    Anyway, Wordfence would do a great job. Just be careful with the CPU usage.

  • wohelwohel Member

    @LeonDynamic said:
    @wohel Are you sure the IPv4 address is correct and are you using IPv6, if so add that address as well. The htaccess rule should work out of the box.

    Yup! I checked my Public Ipv4 from Google and I do not have Ipv6.

  • wohelwohel Member
    edited May 2020

    @imok said:
    You are describing the most usual attacks targeting Wordpress. Are you sure this is a single person?

    For me, everyday CSF is blocking requests and IPs because of this.

    wohel said: Now, he is using Smrush, google bot and Bingbot to crawlto my site

    Are you sure this is not legitimate traffic?

    Anyway, Wordfence would do a great job. Just be careful with the CPU usage.

    If it is legitimate why would someone try to guess passwords or crawl to my site. But I am not sure if it is a single person but I am sure that it could be 2 people max, as he uses his Nexus Phone or Ubuntu PC, but the IP changes as if he uses a VPN.

  • imokimok Member
    edited May 2020

    When I said legitimate traffic I was talking about semrush, bingbot and Googlebot. You can control these crawlers using robots.txt, you will find an option to throttle them in Wordfence too.

    Im trying to say bruteforcing xmlrpc, wp-login, trying to find common patterns in URL (like admin.php, test.php, etc) and mysql injections are common attacks for WordPress sites globally. If there are not reasons, don't feel this attack is personal.

    You will be facing this issue every single day.

  • imok said: You can control these crawlers using robots.txt

    Good luck with that! :|

  • imokimok Member
    edited May 2020

    @AlwaysSkint said:

    imok said: You can control these crawlers using robots.txt

    Good luck with that! :|

    At least the big names do a good job.

    Bing bot was using too much CPU for me and changing robots.txt helped a lot. The other ones (mostly unknown) got throttled using Wordfence.

  • jonathajonatha Member

    To strengthen 7g firewall security is good too.

Sign In or Register to comment.