Home › Forums › BulletProof Security Pro › Protect Login Page from Brute Force Login Attacks
Tagged: Bonus Custom Code, Brute Force Login Attacks, Protect Login page, WordPress Brute Force Attacks
- This topic has 163 replies, 30 voices, and was last updated 4 years, 6 months ago by eveli.
-
AuthorPosts
-
rafaelmagicParticipant
If the Bonus Brute Force code does not work on your server and if you have root access,
a VPS or your own Server. You could try the following 3 alternate ways.1) VARNISH CACHE Brute Force Protection: http://forum.ait-pro.com/forums/topic/varnish-cache-login-page-protection-brute-force-protection/
2)MOD SECURITY Brute Force Protection:
I personally use the Free Comodo WAF rules and they have several brute-force protection rules.
But you can add a “custom rule” such as below:
## block wordpress login attempts SecRule REQUEST_URI "wp-login.php" "id:'100',chain,severity:'3',msg:'Bad url - wp-login.php'" SecRule REMOTE_ADDR "!@ipMatch xxx.xxx.xxx.xxx"
Replace xxx.xxx.xxx. with your IP.
3)SERVER CONFIG Brute force Block for Wp-login at httpd.conf (PLEASE backup the file before you crash your server).
This METHOD is only for experienced users. I am warning you.Edit /usr/local/apache/conf/httpd.conf and add the following near the other <Files></Files> lines:
Code A
<Files ~ "^wp-login.php"> Order allow,deny Deny from all Satisfy All </Files> ErrorDocument 403 "Not acceptable"
Restart Apache.
To Gain access again Uncomment (# in front of lines) it Out and restart Apache.Code B
httpd.conf code to try.<FilesMatch wp-login.php> Order Allow,Deny Allow from xxx.xxx.xxx.xxx Deny from all </FilesMatch>
xxx.xxx.xxx is your IP to whitelist
Good luck..
MaiZuliParticipantJust was wondering.. I’ve blocked quite many ip’s since I made pages about 2 years ago and I have had several brute’s past few days. Just wondering what kind of code I should use. I am not good with these codes and if I start to make these code changes to .htaccess so I need to be sure for what I am doing and where in there. 🙂
I have one own page which needs the code.
I’m not a blond, but a female for sure, so this is not so simple for me, but I am anxious learning this code. But I’m not hopeless with computers. So please help me. I would like to have a code which ends those “brutes”. Last 311 are from Italy :p
I have managed with Wordfence and BPS Security this far.
Thanks 🙂
AITpro AdminKeymasterIf you have BPS free installed then I recommend that you install a CAPTCHA plugin. If you have BPS Pro installed then you would use JTC Anti-Spam|Anti-Hacker. We did months of testing and research with different methods of blocking automated hacking and spamming attempts: http://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/ 99% of all hacking and spamming is automated with bots. Blocking by IP address is a time consuming and ongoing process. Some hacker and spammer networks have millions of IP addresses they can use. The most effective method of blocking automated hacking and spamming auto-registering, auto-logins and auto-posting attempts is using a CAPTCHA system.
MaiZuliParticipantI have the free version installed because this one page is not my personal. One of my societies I use is its holder but noticed this hobby has started to get too serious with these hackers. Makes me little bit scary if somebody is going to ruin this page.
But I’ll install that CAPTCHA plugin.
Thank you 🙂
AITpro AdminKeymasterhacking and spamming is nothing personal and is completely automated. ie hackers and spammers click a “go” button in their bot delivery system and their bots randomly go all over the place and do whatever they do. There is money to be made so the motivation is purely monetary and not personal. It is very rare that a human hacker and spammer actually manually tries to spam or hack a website – probably about 1% of the time (most likely much lower percentage – ie .01%, political, espionage or other motivation). 99% of the time the blocked attacks and attempts that you see are automated.
MikeParticipant[Reply has been merged into this relevant Topic]
Okay so I can’t seem to log out of my site. When I click Logout, I get a 403 error even though I whitelisted my ip. Any ideas?
AITpro AdminKeymaster@ Mike – your Reply has been merged into this Topic. I am assuming you are using the Brute Force Login protection Bonus Custom Code in this forum topic. On about 5% of hosts you cannot use the Brute Force Login protection Bonus Custom Code that is in this forum topic so you will have to delete it from BPS Custom Code, click the Save Root Custom Code button, go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
IMPORTANT NOTE: If you see a 403 error on your login page when trying to login or log out of your website then you cannot use this code on your Server/Website and will need to delete this code to correct the 403 error on login and logout.
MikeParticipantActually, it was my fault. I put in the wrong website/server ip under brute force attack. It works now. However, I do have a question regarding that… I’m assuming even though the domain is being served up on the root and not any subdomain (like www), the I wouldn’t have to do this right?
Allow from *.domain.com # Add your website/Server IP Address Allow from 111.222.333.444
AITpro AdminKeymasterGreat!
The Order and Allow directives do not use the Regex * character (match anything). When you use
Allow from example.com
that will matchwww.example.com or any other subdomain. x.example.com, y.example.com
etc.MikeParticipantPerfect, thanks!
BruceParticipant[Topic has been merged into this relevant Topic]
It seems that my site was the subject of a brute force attack(?) on my admin panel login page. I looked at my BPS Log Files and there was an attempt every single minute for 2 days; however the last one was 3 hours ago. Here is what BPS has in the log – each one is identical except for the timestamp: So does this mean BPS is blocking the attack? Or do I need to do something else – like maybe put that IP address on a block or deny list?
[400 GET Bad Request: April 30, 2015 - 4:47 pm] Event Code: The request could not be understood by the server due to malformed syntax. Solution: N/A - Malformed Request - Not an Attack REMOTE_ADDR: 134.249.48.79 Host Name: 134-249-48-79-broadband.kyivstar.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: http://bruceleibowitz.net/wp-login.php QUERY_STRING: HTTP_USER_AGENT:
AITpro AdminKeymasterThe HTTP Status Code is: 400 Bad Request and not 403 Forbidden. That means the Ukrainian SpamBot is making a bad|malformed Request to your Login page and nothing bad is happening. The User Agent String is blank – that usually indicates a SpamBot. Any Request that is legitimate will have a valid User Agent String. Example:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
.So since the bad SpamBot is making a bad Request to your website then you can just ignore these Security Log entries.
BruceParticipantOk, thanks!
convertmediaParticipantThanks for this.
I entered the below code into CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here, replacing “example.com” with my site “screenplae.com” and “69.200.95.1” with my IP, “100.38.132.242.”I am unsure what to do about “65.100.50” at the end. Do I just enter my IP again?
# Protect wp-login.php from Brute Force Login Attacks based on IP Address <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from example.com # Add your website/Server IP Address Allow from 69.200.95.1 # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65.100.50. </FilesMatch>
After entering this, I followed through and clicked activated “Activate Root Folder BulletProof Mode.”
I got an error at the top that says:
BPS Alert! An htaccess file was NOT found in your WordPress wp-admin folder
If you have deleted the wp-admin htaccess file for troubleshooting purposes you can disregard this Alert.
After you are done troubleshooting Click Here to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin again.
Important Note: If you deleted the wp-admin htaccess file due to bad/invalid Custom Code causing a problem then Click Here to go to the BPS Custom Code page, delete the bad/invalid wp-admin Custom Code and click the Save wp-admin Custom Code button before running the Setup Wizard again.” Is this common?AITpro AdminKeymasterIn most cases you only need to add your public IP address and not your website/server IP address, BUT your public IP address will be dynamically changed frequently by your ISP. So what you need to figure out is how many octets of your IP addresss remain the same/consistent. So in the example below all IP addresses starting with 65. will be allowed to view and login to your site.
Regarding the rest of your question: Did you add the custom code in the correct Custom Code text box? The only logical reason for why you would be seeing a wp-admin htaccess file error message would be that you entered your custom code in the wrong text box.
# Protect wp-login.php from Brute Force Login Attacks based on IP Address <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65. </FilesMatch>
-
AuthorPosts
- You must be logged in to reply to this topic.