Can't stop hacker bot from accessing admin screen

[kilakiwi]

I enabled ‘deny all’ for my admin .htaccess in Bulletproof but there is a bot that has tried to login to my site hundreds of times today from a different IP address every time, and the ‘deny all’ isn’t stopping it. I can’t even see the admin screen myself, because I have CloudFlare turned on and that changes my IP, so how can a bot get to it? My site was hacked a few months ago and spam links were added to my header, so I am determined to stop it from happening again. Of course I have a relatively secure user ID and password, but I still don’t want someone trying to login hundreds of times per day. I’ve tried everything I know. Any suggestions?

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 64.233.169.99

[AITpro Admin]

Trying to block by IP address and doing it in a way that you have to add those IP addresses to block is not effective because IP addresses are easily faked and changed each time you block a particular IP address.  What does work is if you do something like ONLY allow from your IP address since you can control that factor, but when doing something like this for a site/files/folders that need to be accessible publicly you make them inaccessible to the public, unless you create whitelisting rules of some sort for specific/particular scripts that need to continue to load unrestricted.

BasicAuth password protection on the wp-admin folder is not really necessary.  WordPress already has authentication protection on the Admin area.  Adding a second authentication does not make this anymore secure.

It is a very simple thing for automated Bot programs to find your login code since what the Bot is looking for is code and not something visual that a human would be looking for like a link to a login page.  For that reason it is impossible to hide from automated Bot programs since you cannot hide the code itself because this would render your login code not usable – you or anyone else would not be able to login to the website.  The code must be outputted in order for it to work.  Outputted/rendered code is easily found using many forms of scanning – cURL is the simplest method to find outputted code.

Ok so now what can you do?

If you have a login protection plugin installed that locks failed login attempts after X failed attempts then this Action approach stops the Bot from getting any further.  Most automated Bot hacker programs will continue to switch IP addresses, host names, etc. automatically after X failed attempts or after being blocked X number of times.  Eventually the automated Bot program will move on to another target so you should not be that concerned about monitoring failed login attempts if you have login protection in place.

If you still want to try and block by IP Address then you can use this code in your root .htaccess file (link below), but do not waste too much time on doing something like this.

http://forum.ait-pro.com/forums/topic/htaccess-block-ip-address-block-access-to-files-by-ip-address/

[kilakiwi]

Thanks, AITpro. I understand what you’re saying. The code I used is included in Bulletproof, but normally commented out. It denies access to the admin folder to all except the whitelisted IPs.

I think I figured out how they are getting around that; they are going straight to /wp-login.php?redirect(…) to try to login. But I just realized that even if they were to guess both the user name and the password, they would still hit the 403 page instead of the admin dashboard. I feel better now.

It’s just unnerving to see hundreds of hack attempts every day on a site that has already been hacked once (through the header–not sure how they did that). Thanks again for taking the time to respond.

[AITpro Admin]

Yep, I agree it is bit unnerving to see how many automated hacking attempts are going on constantly.  That number continues to increase day to day, week to week, month to month and year to year.  😉

[Author]

Posts