We are getting bruteforce attacked on our sites and I am afraid to ban the IP’s as they may be rotating IP’s or legitimate users at some point in there life span.
I would like to block all unknown bots from accessing my site. Specifically my /wp-login.php file.
I have spent hours trying to find the code to do this. I am open to suggestions of course. But is there anyway to ban the unknown bots but not ban google and such?
I have captcha setup on my login form and limiting login attempts to 3 fails then lockout for 36 hours then 2 more fails and lockout for 96 hours. This however is not slowing down the attacks and they seem to have an endless pool of IP’s to choose from.
What I ended up doing on top of generally tightening WP security is locking access to wp-login.php and wp-admin folder.
Very easy and quick setup guide here http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack for the wp-login.php file
Locking a folder can be done easily in any Cpanel or plesk.
4
Answers
I don’t think you can block a bot from accessing your site, as a bot can mimic any legitimate HTTP traffic.
Instead, you should focus on blocking bad behavior on your site.
You mention they’re trying to brute force attack your site. What does this mean? Are they flooding your site with so much traffic, it slows down your servers? If so, perhaps throttle a single IP to a certain number of requests per second. If one IP, for example, sends 100 requests a second to your service, block them for 30 seconds.
Is this bot trying to guess passwords? If so, track bad password attempts and prevent another attempt for five seconds. Or, use something like CAPTCHAs to slow down automated password change attempts, or suspicious logons.
A lot of these strategies can be implemented with routers, third party libraries and, if you’re using WordPress, WordPress plugins.
Hope this helps!
I’m using the following trick at my WordPress website:
It will return “Page not Found” if somebody tries to access the login page. When I need to access the login page myself, I simply comment out the last line in my .htaccess file.
The .htaccess file is located in my root web folder.
You can block access to the wp-admin directory using an htpasswd file. Generate and htpasswd file using this tool. Then create a new htaccess file in the wp-admin directory with these contents:
I tested yesterday Hide My Wp from Theme Forest and was very impressed with what it can do. It might just be what you’re looking for. Check it out at: http://codecanyon.net/item/hide-my-wp-no-one-can-know-you-use-wordpress/4177158