New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Protecting yourself against Wordpress hackers
I'm sure most of you know about the recent Wordpress hacks.
I found a few lists and collated .htaccess content. Hope it helps someone - just copy/paste into your .htaccess if you use Apache or otherwise adapt for Nginx etc.
No guarantees this'll help etc., but hopefully it'll reduce the chances.
Comments
Nice. Cloudflare also seems pretty confident in their ability to deflect a good percentage of it. I've given them the opportunity to impress me.
Try this :
http://www.ilmuserver.com/knowledgebase.php?article=4
Well, it's indonesian language there, but .htaccess written clear there.
Do you mean hackers by bruteforcing passwords and so?
Or you mean by vulnerabilities
And TBH I am not informed about that hacks :S
I mean bruteforcing.
They are attacking a single user name "admin", so remove admin in mysql after making a backup.
Not what I heard.
"There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords."
as per: http://blog.cloudflare.com/
Good way to protect it with NGINX (credits to whoever did this, I don't have the source anymore):
`if ( $request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
location ~ /(.|wp-config.php|liesmich.html|readme.html) {
return 444;
}
location ~ ^/(\d+)/$ {
return 301 /?p=$1;
}
location = /wp-login.php {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/htpasswd;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+.php)(/.+)$;
}`
Just block all access to wp-admin - problem solved.
That's like not sailing in a storm. Where's your sense of adventure!?
I saw a list of usernames/passwords earlier and they weren't all admin. Possibly multiple groups trying...
There needs to be some access control - you can't just block it completely. If you don't have a static IP, it's a useful list.
http://bit51.com/software/better-wp-security/
Suppose this is considered cheating or lazy.
anyone put up a small wordpress install on a vps and have admin and pass as the setup and see what they are changing?
@jhadley - I have found it much more convenient to simply add an additional layer of protection using a .htpasswd file. Of course, we're using Nginx so we could call that file anything. I'd recommend the same for you since it's easier than keeping track and adding new IP addresses to that list.
Try this free service by IP2Location perhaps?
http://www.ip2location.com/free/visitor-blocker
http://www.ip2location.com/free/visitor-blocker
sadly it is a botnet, so they are located everywhere. Meaning there would still be some applicable terminals hitting it.
Is there a way in wordpress to only allow login using OpenID?
sadly it is a botnet, so they are located everywhere. Meaning there would still be some applicable terminals hitting it.
Still quite useful list of IPs, if you decide a certain country possess greater risk.
I go the opposite route and whitelist instead.
Much easier(at least for me, since I have a static IP, and so does the person I work with).
I've had good luck with the Wordfence Security plugin --
http://wordpress.org/extend/plugins/wordfence/
I have it temporarily block any IP who has multiple login failures, temporarily. YMMV
+1 for wordfence
one way is enable http auth on admin.php through .htaccess or nginx host file.
we also set this cron daily job that blocks spam ips on our proxy gateway.
http://bash.cyberciti.biz/web-server/nginx-shell-script-to-block-spamhaus-lasso-drop-spam-ip-address/
@jhadley - would you think it would be beneficial to blacklist these IP's via iptables as well?
@twain blacklisting thousands of IPs via iptables is a good way to make your server very slow.
Better use ip route add blackhole x.x.x.x
Or:
Force https for wp-login.php. they don't attempt to bruteforce https.
@rds100 - OK cool that does sound like a better way.. you're missing some backticks on the for loop no?
wordfence works good, also i have blocked many ips on the .htaccess
This is from what list?
Yes, they got missing somehow, i'll edit it now.
Hmm no, the backticks are there, but vanilla is eating them. Even PRE doesn't help it seems.
Does anyone have an idea how to display the backticks?
I'm enabling this option LF_DSHIELD, LF_SPAMHAUS, LF_SPAMHAUS_EXTENDED, LF_TOR, LF_BOGON in CSF and the SSH bruteforce attempt drastically reduced.