Home › Forums › BulletProof Security Pro › Protect Login Page from Brute Force Login Attacks
Tagged: Bonus Custom Code, Brute Force Login Attacks, Protect Login page, WordPress Brute Force Attacks
- This topic has 163 replies, 30 voices, and was last updated 5 years, 3 months ago by
eveli.
-
AuthorPosts
-
AITpro Admin
KeymasterFor folks who DO NOT want/allow anyone else to be able to login or register on their website
This .htaccess code will protect your WordPress Login page from Brute Force Login Attacks based on IP address, but keep in mind if you are allowing folks to login to your website then they will not be able to login. This .htaccess code is for folks who do not want to allow anyone else, but themselves to login to their website’s. You can add additional IP addresses to allow other people access to your login page or allow access to your login page from different locations/computers: work, home, etc. See the IMPORTANT NOTES help section below before using this code. Scroll down to this help section below: “How to add either the IP Address based Brute Force Login Protection Code or the Server Protocol based Brute Force Login Protection Code on your website” for the steps to add this htaccess code to BPS Custom Code.
# Protect wp-login.php from Brute Force Login Attacks based on IP Address <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65.100.50. </FilesMatch>
IMPORTANT NOTES:
If you are using CloudFlare, a Proxy, a CDN, a VPN then see the: CloudFlare, Proxy, CDN, VPN Brute Force Login Protection help section below.
VERY IMPORTANT!!! If you have multiple websites under your Hosting account and want some of them to use this Brute Force Protection code, but not others then see this Forum Topic: http://forum.ait-pro.com/forums/topic/ok-to-use-brute-force-login-protection-if-need-login-in-subfolder/#post-16705
You will find your Public Internet IP Address (ISP)/Your Computer IP Address on the BPS System Info page. Or if you want to find the Public IP address of a device (computer) then Google “Whats My IP Address” from that device.
If you have used the IP based Brute Force Login Protection code and you are unable to login to your website then your ISP is changing your entire IP address subnet dynamically and you will not be able to use this code and should instead use the Server Protocol based Brute Force Login Protection code. See the “If you are unable to login to your website after using the IP based Brute Force Login Protection code” help section below if you are unable to login to your site.
Internet Service Providers (ISP) dynamically change/assign IP addresses either after you reboot your computer or change/reassign a new IP address every 3-7 days. Typically ISP’s only change the last 2 octets of an IP address. Example IP address: 100.99.88.77. The first 2 octets: 100.99. will typically remain the same and the last octets will change: 100.99.66.22. Each ISP is different and some actually change the last 3 octets and only keep the 1st octet: 100.77.33.44, 100.88.34.21, but the norm is that the first 2 octets will always remain the same. So if create an Allow 100.99. rule then when your ISP changes that last 2 octets of your IP address, any IP address starting with 100.99. will still be allowed.
For folks who DO want to allow other folks to be able to login/register to their website
This code below will block/Forbid are large number of automated Brute Force Login attempts based on Server Protocol HTTP/1.0, which is an outdated Server Protocol used by hackers and spammers on older Proxy software or modified Proxy software for various beneficial reasons to those hackers and spammers. This code has a 95%/5% success fail ratio meaning that this code works on 95% of websites/Servers and does not work on 5% of websites/Servers. See the IMPORTANT NOTE below.
IMPORTANT NOTE: If you see a 403 error on your login page when trying to login or log out of your website then you cannot use this code on your Server/Website and will need to delete this code to correct the 403 error on login and logout.
# BRUTE FORCE LOGIN PAGE PROTECTION # Protects the Login page from SpamBots, HackerBots & Proxies # that use Server Protocol HTTP/1.0 or a blank User Agent RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$ RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR] RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$ RewriteRule ^(.*)$ - [F,L]
How to add either the IP Address based Brute Force Login Protection Code or the Server Protocol based Brute Force Login Protection Code on your website or both (if you are using the IP Address based code then you do not really need to add the Server Protocol code)
1. Add whichever Brute Force Login Protection Code you want to use in this BPS Root Custom Code text box: CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION: (add/edit the code and add the IP addresses you want to whitelist/allow if you are using the IP based protection code)
2. Click the Save Root Custom Code button
3. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.
3. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode again.To reverse the process (remove/delete the Brute Force Login Protection Code from your root .htaccess file)
1. Delete whichever Brute Force Login Protection Code you added to this BPS Root Custom Code text box: CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION:
2. Click the Save Root Custom Code button
3. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.
3. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode again.Troubleshooting Issues/Problems
Problem: Unable to login to your website after using the IP based Brute Force Login Protection code
Solution: FTP to your website or use your web host control panel File Manager and download your root .htaccess file and edit it in Notepad or Notepad++ (do NOT edit .htaccess files with Word or WordPad – they will corrupt the .htaccess file). Replace the IP based Brute Force Login Protection code with the Server Protocol based Brute Force Login Protection code and upload your root .htaccess file back to your website. Or you can use your Web Host Control Panel/cPanel File Manager to edit your root .htaccess file instead of downloading it.CloudFlare, Proxy, CDN, VPN Brute Force Login Protection
As of BPS .49.3 and BPS Pro 7.5 the System Info page will display X-Forwarded-For IP addresses:
If you are using CloudFlare on your website then you will see Proxy X-Forwarded-For IP Address: instead of Public ISP IP / Your Computer IP Address: displayed to you. This additional check is for troubleshooting issues with CloudFlare, CDN, Proxy or VPN.WordPress Forum Topic: http://wordpress.org/support/topic/whitelisting-ips-leads-to-403-errors-on-logout?replies=21
CloudFlare uses a Proxy so you will need to whitelist the X-Forwarded-For client IP address assigned by CloudFlare.
Wiki info on X-Forwarded-For
http://en.wikipedia.org/wiki/X-Forwarded-ForThe general format of the field is:
X-Forwarded-For: client, proxy1, proxy2If I understand this information correctly in the Wiki link above, as long as your are using the “client” IP address then that is what should only be whitelisted. The 2nd, 3rd proxy IP addresses should not be whitelisted, but this may or may not be true – pending testing.
Notes:
You can use SetEnvIf X-FORWARDED-FOR inside or outside of the FilesMatch section of code.You would want to use Order Allow,Deny and NOT Order Deny,Allow
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#orderAllow,Deny
First, all Allow directives are evaluated. At least one must match, or the request is rejected.
Next, all Deny directives are evaluated. If any matches, the request is rejected.
Last, any requests which do not match an Allow or a Deny directive are denied by default.Deny,Allow
First, all Deny directives are evaluated. If any match, the request is denied unless
it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist <FilesMatch "^(wp-login\.php)"> Order Allow,Deny Allow from env=whitelist # Add additional IP Addresses if necessary or delete these lines of code if not needed/used Allow from xxx.xxx.xxx.xxx Allow from xxx.xxx.xxx.xxx </FilesMatch>
Extra/Additional Stuff/Information/etc
And yes you can do a combination of both IP based and Server Protocol based blocking. This code means this: If the login page is requested/accessed and the Server Protocol is HTTP 1.0 or the IP address is not your IP address then Forbid access to the Login page.
***This code is ONLY for folks who do not want anyone else to be able to login or register to their websites.
# Protect wp-login.php from Brute Force Login Attacks based on Server Protocol or IP # All legitimate humans and bots should be using Server Protocol HTTP/1.1 RewriteCond %{REQUEST_URI} ^/wp-login\.php$ RewriteCond %{THE_REQUEST} HTTP/1\.0 [OR] RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.$ RewriteRule ^(.*)$ - [F,L]
Another method to allow your Login page to be only accessible to you…
…would be to add this function to your Theme’s functions.php file. In this example you would need to enter: http://www.example.com/wp-login.php?mySecretString=foobar to gain access to your login page. You would of course change “mySecretString=foobar” to whatever you want for your secret Query String.
// Simple Query String Login page protection function example_simple_query_string_protection_for_login_page() { $QS = '?mySecretString=foobar'; $theRequest = 'http://' . $_SERVER['HTTP_HOST'] . '/' . 'wp-login.php' . '?'. $_SERVER['QUERY_STRING']; $allowed_hosts = array( 'example.com' ); if ( ! isset( $_SERVER['HTTP_HOST']) || ! in_array( $_SERVER['HTTP_HOST'], $allowed_hosts ) ) { header( $_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request' ); exit; } if ( site_url('/wp-login.php'.$QS ) == $theRequest ) { echo 'Query string matches'; } else { header( 'Location: http://' . $_SERVER['HTTP_HOST'] . '/' ); } } add_action('login_head', 'example_simple_query_string_protection_for_login_page');
AITpro Admin
KeymasterTesting Parameters:
Socket to spoof Google IP and Hostname
cURL to spoof Google User Agent/Bot and Referer and force HTTP/1.0 Server Protocol
Result: 403 Forbidden/GET displays BPS 403.php Forbidden template>>>>>>>>>>> 403 GET or Other Request Error Logged - June 17, 2013 - 1:58 pm <<<<<<<<<<< REMOTE_ADDR: 66.249.66.1 Host Name: crawl-66-249-66-1.fakegooglebot.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http: //www.fake-referer-domain.com/ REQUEST_URI: /wp-login.php QUERY_STRING: HTTP_USER_AGENT: FakeGooglebot/2.1 (+http://www.googlebot.com/bot.html)
Young Master
ParticipantIs this .htaccess code necessary if you are using login security feature. Doesnt login security protect from login brute force attacks?
AITpro Admin
KeymasterNo, this code is not necessary unless you want to block cURL attack methods that use GET. All login processing uses POST.
Yes, Login Security does have Brute Force Login protection.
Several people have asked this general question since Brute Force attacks are still occurring worldwide intermittently so I created this post for them and so I do not have to keep answering the same question over and over again.AITpro Admin
KeymasterI guess I should also explain what the difference is between GET and POST in regards to automated Brute Force hacking scripts. Automated Brute Force hacking scripts typically use cURL to GET your login page and then the script will start executing POST Brute Force password cracking. So if GET is blocked based on the HTTP/1.0 Server Protocol then the cURL GET is blocked/Forbidden before POST ever comes into play. In other words, this allows someone to prevent the first part (probe, recon, etc) of the automated Brute Force hacking method from even getting to the WordPress login page.
AITpro Admin
KeymasterAnd someone is bound to ask this question sooner or later. How to block automated comment spambots.
# Protect wp-login.php from Brute Force Login Attacks based on Server Protocol # Block automated comment spambots using Server Protocol HTTP/1.0 # All legitimate humans and bots should be using Server Protocol HTTP/1.1 RewriteCond %{REQUEST_URI} ^(/wp-login\.php|/wp-comments-post\.php)$ RewriteCond %{THE_REQUEST} HTTP/1\.0 RewriteRule ^(.*)$ - [F,L]
b-cat
ParticipantThis is great info! Thank you! I have one question about this below…
Since I’ve turned off Login Security due to a conflict with SI CAPTCHA, I’ve followed your steps above to “block/Forbid around 98% of automated Brute Force Login hacking attempts…” and I did this by adding the code below to the “CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE:”
# Protect wp-login.php from Brute Force Login Attacks based on Server Protocol # All legitimate humans and bots should be using Server Protocol HTTP/1.1 RewriteCond %{REQUEST_URI} ^/wp-login\.php$ RewriteCond %{THE_REQUEST} HTTP/1\.0 RewriteRule ^(.*)$ - [F,L]
After adding that custom code, I clicked the Save Root Custom Code button, then went to the Security Modes tab and activated Root Folder BulletProof Mode again. I also re-activated the wp-admin Folder .htaccess security mode again, since the Security Modes page asked me to.
Now the Question:
How can I confirm that the custom code above has been added and that it is active? And where is it now located? Will I find this code by reading the root directory .htaccess file directly? (I tried that and couldn’t find the code in that document, but maybe the code ends up looking different after it is automagically added to the .htaccess file…?)I’m suspicious that the code did not get inserted because when I re-open the add Custom Code button and scroll down to the “CUSTOM CODE BOTTOM HOTLINKING/FORBID…” section, I see the code I pasted on the LEFT text field, but I don’t see it showing up on the RIGHT side display, which seems to be reading directly from the target .htaccess file.
AITpro Admin
KeymasterThe right side highlighted in yellow is just a basic example of what should go in the text box on the left and not an echo of your actual code. Go to the htaccess File Editor page, click on the Your Current Root htaccess File tab, scroll down to the bottom of your root .htaccess file and you should see the code.
AITpro Admin
KeymasterStatus update:
There is no sign of the Brute Force Login attacks letting up. This is what we are logging on our websites using the Brute Force Login protection .htaccess code above.
1,000 Brute Force Login attacks blocked per day per website.
10 sites total
1,000 x 10 websites = 10,000 Brute Force Login attacks blocked per day.
10,000 x 7 days = 70,000 Brute Force Login attacks blocked per week.
70,000 x 4 weeks = 280,000 Brute Force Login attacks blocked per month.Mike Harrison
ParticipantI’d like to implement this code. But, before I do, which htaccess file will this be written in? I ask because I want to first make a backup of whatever file is going to be changed so that if a mistake is made, I can revert to to the earlier version.
Or, what procedure would you recommend?
Thanks!AITpro Admin
KeymasterIf you have BPS or BPS Pro installed this custom .htaccess code goes in the CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE text box. After adding this custom code click the Save Root Custom Code button, go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
To reverse the process (remove/delete the code from your root .htaccess file) you would delete the code from the CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE text box, click the Save Root Custom Code button, go to the BPS Security Modes page and click the Root Folder BulletProof Mode Deactivate button.
bill
ParticipantHello. In brief, I had two (2) of my sites attacked this morning via this method… thankfully, BPS Pro foiled the login attempts. That said, I’m about to enter the code you’ve graciously provided above in the noted area, but I had a question regarding the IP address(es) reported when I received my email alert. In addition to adding the code above, how do I block the IP Address of the culprit(s) and would you even deem it necessary to do so? Thanks. And, Happy 4th of July.
bill
ParticipantAfter I included this code below as you instructed…
# Protect wp-login.php from Brute Force Login Attacks <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from mysiteaddress.com # Add your website/Server IP Address Allow from 69.200.95.1 # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65.100.50. </FilesMatch>
Note: the bold areas in the code was changed to reflect my actual information.
I checked my .htaccess file (via file/upload/edit tab and ftp) and it was viewable in both areas (at the very bottom of the .htaccess file). My question is: when I checked to see if it was working or if it would prevent me from accessing my website’s (example: mysiteaddress.com/wp-login.php) login page from my mobile (iphone/sprint; not sure this matters), it did not prevent me from viewing the page/attempting to login in multiple times (well above the two permitted). Note: When I type gibberish into both fields, it seems I can go on forever. However, when I type in the correct username and wrong password, it locks me out. This is for my mobile and computer. Am I misreading the intended functionality? Please advise.
AITpro Admin
KeymasterSomething must not be setup correctly, unless all of your devices use the same IP address subnet. Doubt that seriously, but do not know that for sure. Double check that you have done everything correctly.
You can also test by using an free Online Proxy Server like HideMyAss.com to test with. You should be able to see your main URL, but you will not be able to see the /wp-login.php page. Try to view this test website’s Login page that is using the Block Brute Force Login code: http://www.ait-pro.com/verum/wp-login.php. You should see a 403 Error.
bill
ParticipantYes, I got the 403 error page for the sample link you provided. Can I email you a screenshot of the code in my .htaccess?
-
AuthorPosts
- You must be logged in to reply to this topic.