New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to Stop WordPress admin brute-force attacks?
hivalidity
Member
in Help
I have changed WordPress admin URL, disabled XMLRPC, enabled CAPTCHA for admin locations.
But still getting WordPress admin brute-force attacks notifications via email.
How are you dealing with this?
Comments
https://de.wordpress.org/plugins/limit-login-attempts-reloaded/
first plugin i install on any new wordpress site. then turn off notifications and problem solved.
a captcha is annoying for legitimate users IMHO.
Delete WordPress.
Assuming this isnt some form of root level attack and you are certain your shared environment is solid. Try WP Defender https://wpmudev.com/project/wp-defender/with Stop Spammers https://wordpress.org/plugins/stop-spammer-registrations-plugin/ (block out countries where most of the attacks are coming from).
You can also try something like Cloudflare, but might be an overkill for this particular type of attack.
You can't stop the brute froce attacks. You might be able to block access to /wp-admin/ and wp-login.php with .htaccess or nginx rule and / or limit it only to a certain ip adress.
Rename wp-login if you are the only user and save the link as a bookmark, it stopped the attacks immediately when no bots knew where to log in.
If you're the only one accessing WP Admin, just got the URL behind Cloudflare Gateway Access if you use Cloudflare https://www.cloudflare.com/teams/access/. If there's a group of admins, you can still setup CF Gateway Access just more whitelisted users for other admins etc.
First question you should ask is if you need one more plug-in? Many times the answer is no.
My suggestion is to use fail2ban combined with whatever web server you use.
Example:
https://osric.com/chris/accidental-developer/2019/07/block-wordpress-scanners-fail2ban/
https://www.digitalocean.com/community/questions/how-to-secure-wordpress-without-a-security-plugin
Some good tips in here instead of generic fluff .
Also: block "admin" or "administrator" or similar accounts.
Create an admin account with a unique I'd. Another one for author with editor access.
fail2ban can limit (and block) invalid login attempts.
Dude, this. So much.
We're moving to BashBlog: https://github.com/cfenollosa/bashblog
I tried the hipster shit like Hugo and Jeykll. But why go through all that hassle when you can just do it via bash on a software stack that isn't stupidly heavy? No php, no DB, no ruby, python, rust, symphony, 4GB of ram needed to compile a change to a template file, etc, etc, etc.
It's bash. It makes html pages. It's great. We'll have a fork available soon since we're doing some thangs with it.
Use httaccess and limit it to your IP
Use cloudflare firewall and simply block access to wp-admin, xmlrpc and wp-login URL.
You can whitelist your home broadband IP if it is static one or just login to CF and disable firewall rules. Once you are done updating your site, you can enable it.
No need to use wp plugins.
Dude, this is the most hipster shit ever. Empiraclly.
The fundamental value proposition for this script fails because its premise is flawed. I imagine one of the claims is "you don't have to install anything to use it". Well, both perl and python are part of the LSB and they're both on your Linux system. So why not write a light-weight SSG in perl or python? Both are better suited for the job.
Answer: author wants to be a hipster.
Saying "it's bash" is slightly disingenuous because "it's bash" but bash is never just bash. Some of the heavy lifting is done by awk, sed, etc. I know a lot of people think of awk and sed as "just utilities" but awk is a full-featured programming language and quite a few people (including yours truly) wrote entire applications in awk before there were better alternatives.
Doing any complex string processing (or really anything complex) in bash is usually a mistake. I used to write a lot of stuff like this...back in the early 90s. Then perl and python came along and made life so much better. I still write bash when it's appropriate but fortunately that is rare as doing this kind of complex document generation in bash feels like having a hand tied behind one's back. Of course, one can do an SSG in bash...the question is why would one want to? Why not fortran or COBOL?
But hey, party on - I can appreciate the wackiness of it. Or as some might say, the hipster shittery of it.
If you are modifying it, I would note:
You could certainly make this valid case. However,
</ @jsg mode>