Can't stop hacker bot from accessing admin screen

Home Forums BulletProof Security Free Can't stop hacker bot from accessing admin screen

Tagged: 

This topic contains 3 replies, has 2 voices, and was last updated by  AITpro Admin 5 years, 2 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #3910

    kilakiwi
    Member

    I enabled ‘deny all’ for my admin .htaccess in Bulletproof but there is a bot that has tried to login to my site hundreds of times today from a different IP address every time, and the ‘deny all’ isn’t stopping it. I can’t even see the admin screen myself, because I have CloudFlare turned on and that changes my IP, so how can a bot get to it? My site was hacked a few months ago and spam links were added to my header, so I am determined to stop it from happening again. Of course I have a relatively secure user ID and password, but I still don’t want someone trying to login hundreds of times per day. I’ve tried everything I know. Any suggestions?

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
    order deny,allow
    deny from all
    # whitelist home IP address
    allow from 64.233.169.99
    #3922

    AITpro Admin
    Keymaster

    Trying to block by IP address and doing it in a way that you have to add those IP addresses to block is not effective because IP addresses are easily faked and changed each time you block a particular IP address.  What does work is if you do something like ONLY allow from your IP address since you can control that factor, but when doing something like this for a site/files/folders that need to be accessible publicly you make them inaccessible to the public, unless you create whitelisting rules of some sort for specific/particular scripts that need to continue to load unrestricted.

    BasicAuth password protection on the wp-admin folder is not really necessary.  WordPress already has authentication protection on the Admin area.  Adding a second authentication does not make this anymore secure.

    It is a very simple thing for automated Bot programs to find your login code since what the Bot is looking for is code and not something visual that a human would be looking for like a link to a login page.  For that reason it is impossible to hide from automated Bot programs since you cannot hide the code itself because this would render your login code not usable – you or anyone else would not be able to login to the website.  The code must be outputted in order for it to work.  Outputted/rendered code is easily found using many forms of scanning – cURL is the simplest method to find outputted code.

    Ok so now what can you do?

    If you have a login protection plugin installed that locks failed login attempts after X failed attempts then this Action approach stops the Bot from getting any further.  Most automated Bot hacker programs will continue to switch IP addresses, host names, etc. automatically after X failed attempts or after being blocked X number of times.  Eventually the automated Bot program will move on to another target so you should not be that concerned about monitoring failed login attempts if you have login protection in place.

    If you still want to try and block by IP Address then you can use this code in your root .htaccess file (link below), but do not waste too much time on doing something like this.

    http://forum.ait-pro.com/forums/topic/htaccess-block-ip-address-block-access-to-files-by-ip-address/

    #3924

    kilakiwi
    Member

    Thanks, AITpro. I understand what you’re saying. The code I used is included in Bulletproof, but normally commented out. It denies access to the admin folder to all except the whitelisted IPs.

    I think I figured out how they are getting around that; they are going straight to /wp-login.php?redirect(…) to try to login. But I just realized that even if they were to guess both the user name and the password, they would still hit the 403 page instead of the admin dashboard. I feel better now.

    It’s just unnerving to see hundreds of hack attempts every day on a site that has already been hacked once (through the header–not sure how they did that). Thanks again for taking the time to respond.

    #3925

    AITpro Admin
    Keymaster

    Yep, I agree it is bit unnerving to see how many automated hacking attempts are going on constantly.  That number continues to increase day to day, week to week, month to month and year to year.  😉

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.