Protect Login Page from Brute Force Login Attacks

Home Forums BulletProof Security Pro Protect Login Page from Brute Force Login Attacks

This topic contains 62 replies, has 12 voices, and was last updated by Avatar of floOo floOo 2 months, 2 weeks ago.

Viewing 15 posts - 1 through 15 (of 63 total)
  • Author
    Posts
  • #7007 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    For folks who DO NOT want/allow anyone else to login/register to their website.

    This .htaccess code will protect your WordPress Login page from Brute Force Login Attacks based on IP address, but keep in mind if you are allowing folks to login to your website then they will not be able to login.  This .htaccess code is for folks who do not allow anyone else, but themselves to login to their website.  You can of course add additional IP address octets to allow other folks access to your login page.

    If you have a BuddyPress site then click this link for Anti-Spammer Registration code:  http://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/  The new aggressive experimental code in testing is looking like a winner so far.

    If you are using CloudFlare, a Proxy, a CDN, a VPN then see the:  CloudFlare, Proxy, CDN, VPN section below.

    IMPORTANT NOTES:

    You will find your Server / Website IP Address and Public IP / Your Computer IP Address on the BPS System Info page.

    If you have used the IP based Brute Force Login Protection code and you are unable to login to your website then your ISP is changing your entire IP address subnet dynamically and you will not be able to use this code and should instead use the Server Protocol based Brute Force Login Protection code.  See the “If you are unable to login to your website after using the IP based Brute Force Login Protection code” help section below if you are unable to login to your site. 

    # Protect wp-login.php from Brute Force Login Attacks based on IP Address
    <FilesMatch "^(wp-login\.php)">
    Order Allow,Deny
    # Add your website domain name
    Allow from example.com
    # Add your website/Server IP Address
    Allow from 69.200.95.1
    # Add your Public IP Address using 2 or 3 octets so that if/when
    # your IP address changes it will still be in your subnet range. If you
    # have a static IP address then use all 4 octets.
    # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1
    Allow from 65.100.50.
    </FilesMatch>

    For BPS and BPS Pro folks who DO want to allow other folks to be able to login/register to their website

    Note For BPS Pro folks: If you are looking for the Brute Force Login Protection code to either check for in your root .htaccess file or add to your website.  That code is displayed below.  If the code already exists in your root .htaccess file and it is working then copy that code from your root .htaccess file to BPS Pro Custom Code by following the instructions below.

    This will block/Forbid around 98% of automated Brute Force Login hacking attempts since typically Server Protocol HTTP/1.0 is used in these automated Brute Force Login Attacks.  This code has a 95%/5% success fail ratio meaning that this code works on 95% of websites/Servers and does not work on 5% of websites/Servers.  See the IMPORTANT NOTE below.

    IMPORTANT NOTE:  If you see a 403 error on your login page when trying to login or log out of your website then you cannot use this code on your Server/Website and will need to delete this code to correct the 403 error on login and logout.

    # BRUTE FORCE LOGIN PAGE PROTECTION
    # Protects the Login page from SpamBots, HackerBots & Proxies
    # that use Server Protocol HTTP/1.0 or a blank User Agent
    RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
    RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
    RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
    RewriteRule ^(.*)$ - [F,L]

    How to add/use this Brute Force Login Protection Code on your website

    If you have BPS or BPS Pro installed this custom .htaccess code goes in this Custom Code text box:  . After adding this custom code click the Save Root Custom Code button, go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode again.

    To reverse the process (remove/delete the code from your root .htaccess file) you would delete the code from the  text box, click the Save Root Custom Code button, go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode again.

    If you are unable to login to your website after using the IP based Brute Force Login Protection code

    FTP to your website and download your root .htaccess file and edit it in Notepad or Notepad++ (do NOT edit .htaccess files with Word or WordPad – they will corrupt the .htaccess file).  Replace the IP based Brute Force Login Protection code with the Server Protocol based Brute Force Login Protection code and upload your root .htaccess file back to your website.  Or you can use your Web Host Control Panel/cPanel File Manager instead to edit your root .htaccess file.

    And yes you can do a combination of both IP based and Server Protocol based blocking.  This code means this:  If the login page is requested/accessed and the Server Protocol is HTTP 1.0 or the IP address is not your IP address then Forbid access to the Login page.  

    ***This code is ONLY for folks who do not want anyone else to be able to login or register to their websites.

    # Protect wp-login.php from Brute Force Login Attacks based on Server Protocol or IP
    # All legitimate humans and bots should be using Server Protocol HTTP/1.1
    RewriteCond %{REQUEST_URI} ^/wp-login\.php$
    RewriteCond %{THE_REQUEST} HTTP/1\.0 [OR]
    RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.$
    RewriteRule ^(.*)$ - [F,L]

    Another method to allow your Login page to be only accessible to you…

    …would be to add this function to your Theme’s functions.php file.  In this example you would need to enter:  http://www.example.com/wp-login.php?mySecretString=foobar to gain access to your login page.  You would of course change “mySecretString=foobar” to whatever you want for your secret Query String.

    // Simple Query String Login page protection
    function example_simple_query_string_protection_for_login_page() {
    $QS = '?mySecretString=foobar';
    $theRequest = 'http://' . $_SERVER['SERVER_NAME'] . '/' . 'wp-login.php' . '?'. $_SERVER['QUERY_STRING'];
    
    // these are for testing
    // echo $theRequest . '<br>';
    // echo site_url('/wp-login.php').$QS.'<br>';
    
    if ( site_url('/wp-login.php').$QS == $theRequest ) {
    echo 'Query string matches';
    } else {
    header( 'Location: http://' . $_SERVER['SERVER_NAME'] . '/' );
    }
    }
    add_action('login_head', 'example_simple_query_string_protection_for_login_page');

    CloudFlare, Proxy, CDN, VPN

    As of BPS .49.3 and BPS Pro 7.5 the System Info page will display X-Forwarded-For IP addresses:
    If you are using CloudFlare on your website then you will see Proxy X-Forwarded-For IP Address: instead of Public ISP IP / Your Computer IP Address: displayed to you. This additional check is for troubleshooting issues with CloudFlare, CDN, Proxy or VPN.

    WordPress Forum Topic:  http://wordpress.org/support/topic/whitelisting-ips-leads-to-403-errors-on-logout?replies=21

    CloudFlare uses a Proxy so you will need to whitelist the X-Forwarded-For client IP address assigned by CloudFlare.

    Wiki info on X-Forwarded-For
    http://en.wikipedia.org/wiki/X-Forwarded-For

    The general format of the field is:
    X-Forwarded-For: client, proxy1, proxy2

    If I understand this information correctly in the Wiki link above, as long as your are using the “client” IP address then that is what should only be whitelisted. The 2nd, 3rd proxy IP addresses should not be whitelisted, but this may or may not be true – pending testing.

    Notes: 
    You can use SetEnvIf X-FORWARDED-FOR inside or outside of the FilesMatch section of code.

    You would want to use Order Allow,Deny and NOT Order Deny,Allow
    http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order

    Allow,Deny
    First, all Allow directives are evaluated. At least one must match, or the request is rejected.
    Next, all Deny directives are evaluated. If any matches, the request is rejected.
    Last, any requests which do not match an Allow or a Deny directive are denied by default.

    Deny,Allow
    First, all Deny directives are evaluated. If any match, the request is denied unless
    it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.

    SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist
    SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist
    SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist
    
    <FilesMatch "^(wp-login\.php)">
    Order Allow,Deny
    Allow from env=whitelist
    # Add your website domain name
    Allow from example.com
    # Add your website/Server IP Address
    Allow from xxx.xxx.xxx.xxx
    # Add additional IP Addresses if necessary or delete these lines of code if not needed/used
    Allow from xxx.xxx.xxx.xxx
    Allow from xxx.xxx.xxx.xxx
    </FilesMatch>
    #7012 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    Testing Parameters:

    Socket to spoof Google IP and Hostname

    cURL to spoof Google User Agent/Bot and Referer and force HTTP/1.0 Server Protocol

    Result:  403 Forbidden/GET displays BPS 403.php Forbidden template

    >>>>>>>>>>> 403 GET or Other Request Error Logged - June 17, 2013 - 1:58 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.249.66.1
    Host Name: crawl-66-249-66-1.fakegooglebot.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http: //www.fake-referer-domain.com/
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT: FakeGooglebot/2.1 (+http://www.googlebot.com/bot.html)
    #7015 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of Young Master
    Young Master
    Participant

    Is this .htaccess code necessary if you are using login security feature. Doesnt login security protect from login brute force attacks?

    #7016 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    No, this code is not necessary unless you want to block cURL attack methods that use GET.  All login processing uses POST.

    Yes, Login Security does have Brute Force Login protection.

    Several people have asked this general question since Brute Force attacks are still occurring worldwide intermittently so I created this post for them and so I do not have to keep answering the same question over and over again.

    #7032 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    I guess I should also explain what the difference is between GET and POST in regards to automated Brute Force hacking scripts.  Automated Brute Force hacking scripts typically use cURL to GET your login page and then the script will start executing POST Brute Force password cracking.  So if GET is blocked based on the HTTP/1.0 Server Protocol then the cURL GET is blocked/Forbidden before POST ever comes into play.  In other words, this allows someone to prevent the first part (probe, recon, etc) of the automated Brute Force hacking method from even getting to the WordPress login page.

    #7269 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    And someone is bound to ask this question sooner or later.  How to block automated comment spambots.

    # Protect wp-login.php from Brute Force Login Attacks based on Server Protocol
    # Block automated comment spambots using Server Protocol HTTP/1.0
    # All legitimate humans and bots should be using Server Protocol HTTP/1.1
    RewriteCond %{REQUEST_URI} ^(/wp-login\.php|/wp-comments-post\.php)$
    RewriteCond %{THE_REQUEST} HTTP/1\.0
    RewriteRule ^(.*)$ - [F,L]
    #7272 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of b-cat
    b-cat
    Participant

    This is great info! Thank you! I have one question about this below

    Since I’ve turned off Login Security due to a conflict with SI CAPTCHA, I’ve followed your steps above to “block/Forbid around 98% of automated Brute Force Login hacking attempts…” and I did this by adding the code below to the “CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here text box.”

    # Protect wp-login.php from Brute Force Login Attacks based on Server Protocol
    # All legitimate humans and bots should be using Server Protocol HTTP/1.1
    RewriteCond %{REQUEST_URI} ^/wp-login\.php$
    RewriteCond %{THE_REQUEST} HTTP/1\.0
    RewriteRule ^(.*)$ - [F,L]

    After adding that custom code, I clicked  the Save Root Custom Code button, then went to the Security Modes tab and clicked the Create secure.htaccess File AutoMagic button, and activated Root Folder BulletProof Mode again. I also re-activated the wp-admin Folder .htaccess security mode again, since the Security Modes page asked me to.

    Now the Question:
    How can I confirm that the custom code above has been added and that it is active? And where is it now located? Will I find this code by reading the root directory .htaccess file directly? (I tried that and couldn’t find the code in that document, but maybe the code ends up looking different after it is automagically added to the .htaccess file…?)

    I’m suspicious that the code did not get inserted because when I re-open the add Custom Code button and scroll down to the “CUSTOM CODE BOTTOM HOTLINKING/FORBID…” section, I see the code I pasted on the LEFT text field, but I don’t see it showing up on the RIGHT side display, which seems to be reading directly from the target .htaccess file.

    #7274 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    The right side highlighted in yellow is just a basic example of what should go in the text box on the left and not an echo of your actual code.  Go to the htaccess File Editor page, click on the Your Current Root htaccess File tab, scroll down to the bottom of your root .htaccess file and you should see the code.

    #7312 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    Status update:

    There is no sign of the Brute Force Login attacks letting up.  This is what we are logging on our websites using the Brute Force Login protection .htaccess code above.

    1,000 Brute Force Login attacks blocked per day per website.

    10 sites total

    1,000 x 10 websites = 10,000 Brute Force Login attacks blocked per day.

    10,000 x 7 days = 70,000 Brute Force Login attacks blocked per week.

    70,000 x 4 weeks = 280,000 Brute Force Login attacks blocked per month.

    #7426 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of Mike Harrison
    Mike Harrison
    Participant

    I’d like to implement this code. But, before I do, which htaccess file will this be written in? I ask because I want to first make a backup of whatever file is going to be changed so that if a mistake is made, I can revert to to the earlier version.

    Or, what procedure would you recommend?

    Thanks!

    #7427 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    If you have BPS or BPS Pro installed this custom .htaccess code goes in the CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here text box. After adding this custom code click the Save Root Custom Code button, go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode again.

    To reverse the process (remove/delete the code from your root .htaccess file) you would delete the code from the CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here text box, click the Save Root Custom Code button, go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode again.

    #7433 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of bill
    bill
    Participant

    Hello. In brief, I had two (2) of my sites attacked this morning via this method… thankfully, BPS Pro foiled the login attempts. That said, I’m about to enter the code you’ve graciously provided above in the noted area, but I had a question regarding the IP address(es) reported when I received my email alert. In addition to adding the code above, how do I block the IP Address of the culprit(s) and would you even deem it necessary to do so? Thanks. And, Happy 4th of July.

    #7435 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of bill
    bill
    Participant

    Got it now. Thanks.

    #7441 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of bill
    bill
    Participant

    After I included this code below as you instructed…

    # Protect wp-login.php from Brute Force Login Attacks
    <FilesMatch "^(wp-login\.php)">
    Order Allow,Deny
    # Add your website domain name
    Allow from mysiteaddress.com
    # Add your website/Server IP Address
    Allow from 69.200.95.1
    # Add your Public IP Address using 2 or 3 octets so that if/when
    # your IP address changes it will still be in your subnet range. If you
    # have a static IP address then use all 4 octets.
    # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1
    Allow from 65.100.50.
    </FilesMatch>

    Note: the bold areas in the code was changed to reflect my actual information.

    I checked my .htaccess file (via file/upload/edit tab and ftp) and it was viewable in both areas (at the very bottom of the .htaccess file). My question is: when I checked to see if it was working or if it would prevent me from accessing my website’s (example: mysiteaddress.com/wp-login.php) login page from my mobile (iphone/sprint; not sure this matters), it did not prevent me from viewing the page/attempting to login in multiple times (well above the two permitted). Note: When I type gibberish into both fields, it seems I can go on forever. However, when I type in the correct username and wrong password, it locks me out. This is for my mobile and computer. Am I misreading the intended functionality? Please advise.

    
    
    		
    	
    #7443 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr
    Avatar of AITpro Admin
    AITpro Admin
    Keymaster

    Something must not be setup correctly, unless all of your devices use the same IP address subnet.  Doubt that seriously, but do not know that for sure.  Double check that you have done everything correctly.

    You can also test by using an free Online Proxy Server like HideMyAss.com to test with.  You should be able to see your main URL, but you will not be able to see the /wp-login.php page.

    Try to view this test website’s Login page that is using the Block Brute Force Login code:  http://www.ait-pro.com/verum/wp-login.php

    You should see a 403 Error.

Viewing 15 posts - 1 through 15 (of 63 total)

You must be logged in to reply to this topic.