Results 1 to 8 of 8

Thread: [How To] Restrict access to WordPress admin areas (wp-login.php)

  1. #1
    David I is offline Newbie
    Join Date
    Jun 2010
    Posts
    1,245

    Default [How To] Restrict access to WordPress admin areas (wp-login.php)

    The Problem:
    You cannot access your WordPress admin. This is due to an error which says something like:

    "Not acceptable. Access to wp-login.php has been limited due to Brute Force Attack."

    The Reason:
    Recently GlowHost and other hosts across the globe have experienced (and have been experiencing for a long time now) a massive attack targeted at WordPress sites. Specifically, the attack was directed on WordPress sites admin login area. You can read more about this epidemic, here:
    Brute Force Attacks WordPress Codex

    We've been fairly lucky to have been able to avoid these problems for so long, but the number of attack attempts has become so large that it has started to affect server performance, and we have had to take some measures to improve server performance as below...

    GlowHost Action:
    In order to reduce the load on the servers and stop the attack, we were required to block access to the wp-login.php file for all sites which use WordPress. This is the file which normally allows you to login to your WordPress admin area.

    What to do Next:
    The good news is that you can easily enable wp-login.php for your local IP. This will allow you to gain access to your WP Admin, without allowing the bad guys in. The ideas in this thread are also good for any other scripts that you may have.

    The following recommendations will work best if you have a static IP address from your Internet Service Provider, but if you have a dynamic IP, it will work just as well. You may also accomplish the same end-goal by signing up for a dynamic DNS service.

    Finally, there is the option of using password protection if whitelisting dynamic IPs and static IPs are not something that you want to do. That option is called htpasswd (which is essentially just using cPanel's built-in password protected directories option) and you can do it simply by using your control panel to create the password protection for you. However, you may need to modify .htaccess manually to remove the deny and allow rules from the template that you see below which may already be installed on your sites.

    Novice users should choose 1 of the following 4 options. If you are an advanced user, you may wish to use a combination of password protection along with allowing only your local IPs.

    Option #1: Get a static IP if you do not have one already, then modify your .htaccess file as needed.

    GlowHost recommends usages of a static IP from your ISP (when possible) for all web site owners, due to the growing number of security risks that emerge every day. Static IP addresses can usually be obtained by your ISP for a nominal fee. A static IP can save you a lot of time, and allows you to block the entire Internet from gaining access to (or even viewing) your sensitive admin areas, or other private areas of your site. When you have a static IP, you are able to configure your web site to allow "only you" access, or allow access to only "your team." You should never have to change the settings on your server, once you have configured a basic set of rules assuming everyone who needs access has a static IP.

    Option #2: Use your current dynamic IP address and modify your .htaccess file as needed every time your IP address changes.

    If you have a dynamic IP address, like most Internet users, it just means that every time you login to WordPress admin, you will need to modify the allowed IP in your .htaccess file. The benefit of a static IP is that you do not have to change the allowed IP in your .htaccess file, since your local IP never changes.

    We'll get into this more as you read along, but you will notice that not having to change your allowed IP every time you wish to make a change on your WordPress site or other scripts, might be worth the price of a static IP.

    Please note, a static IP (from your ISP) is not the same as a dedicated IP (on your server from GlowHost). If you have questions about the differences, please feel free to post in this thread, or make a new thread. New posts and threads are great, and much appreciated!

    If a static IP from your ISP is cost prohibitive, as the sometimes are with USA based mobile/cellular carriers, you may also consider a Dynamic DNS service. Static IPs from a DSL service may only run a couple of dollars per month.

    Option #3: Use a Dynamic DNS Service.

    Dynamic DNS services map a domain name to your local IP address, even if it is a dynamic IP. The means even if your local IP changes, the domain name that is mapped to your computer will always resolve to your computer, no matter what the current IP address is. It works the same way as a static IP address in most cases, but is not always as convenient. This is a good option if static IP addresses are too expensive for your needs.

    As an example of such service we can suggest you NoIP.

    In case Web Server doesn't support hostname lookup, you can use the following php script which updates .htaccess file:

    Code:
    <?php
    //Don't forget to update the path to htaccess and hostname and username
    $htaccessFile = "/home/usernam/public_html/.htaccess";
    $handle = fopen($htaccessFile, "r");
    if ($handle) {
        $previous_line = $content = '';
        while (!feof($handle)) {
            $current_line = fgets($handle);
            if(stripos($previous_line,'# Allow from person.getmyip.com') !== FALSE)
            {
                $output = shell_exec('host MY-HOSTNAME.dynamic-dns.com');
                if(preg_match('#([0-9]{1,3}\.){3}[0-9]{1,3}#',$output,$matches))
                {
                    $content .= 'Allow from '.$matches[0]."\n";
                }
            }else{
                $content .= $current_line;
            }
            $previous_line = $current_line;
        }
        fclose($handle);
        $tempFile = tempnam('/tmp','allow_');
        $fp = fopen($tempFile, 'w');
        fwrite($fp, $content);
        fclose($fp);
        rename($tempFile,$htaccessFile);
        chown($htaccessFile,'username');
        chmod($htaccessFile,'0644');
    }
    ?>
    And add this script to cron:
    Code:
    */5 * * * * /usr/local/bin/php /home/user/public_html/allow_person.php >/dev/null 2>&1
    Option #4: Use password protection.

    To use password protection, you'll want to first add the password protection to your wp-admin area using the Password Protected Directories option in your cPanel. Once you have enabled password protection, if you have already set any rules in .htaccess to deny or allow IP addresses or dynamic DNS services. you can now consider if you want to additional protection from these deny rules, or if you want to solely rely on password protection.

    Once you have categorized yourself, here is what to do:

    Options 1-3 work the same way with .htaccess.

    Assuming you currently have a static IP or dynamic IP, all that you need is to find your IP ( What is My IP? ) and edit the .htaccess file in the folder where you have installed WordPress. If this file does not exist, then you may need to create it.

    If you do not know how to modify .htaccess, there is a link at the bottom of this post which will explain more.

    Here is the code which you need to insert into your .htaccess file:
    Code:
    <Files wp-login.php>
    Order Deny,Allow
    Deny from All
    Allow from xx.xx.xx.xx
    </Files>
    xx.xx.xx.xx is your IP address that you found at the link above.

    If you use dynamic DNS, please put your domain name that was assigned to you from your Dynamic DNS service provider here, instead of any IP addresses.

    Please post here or create a ticket if you have any difficulties.

    Related:
    How to edit .htaccess

    This thread is a recent work in progress, We apologize for any lack of information at this time. Please check back in a the next day or so, it should be complete by then.

    Option #5: Renaming wp-login.php
    All you need is to rename wp-login.php to something unique, for example, to protect-enter.php. You will also need to replace "wp-login.php" entries in your scripts to reflect your new login file name.

    Here is the instruction:
    1. Open wp-login.php file in file editor;
    2. Replace all entries in your script from wp-login.php to your new name (for example, to protect-enter.php);
    3. Rename file on the server to your new name (for example, to protect-enter.php);
    4. Open the new script via your browser (for exampel, http://domain.com/protect-enter.php).

    That's all, now bots don't know where is your login file.
    Last edited by AndrewGlow; 09-12-2015 at 04:36 AM.

  2. #2
    GDufresne is offline Nearly a Glow Sage
    Join Date
    Dec 2013
    Posts
    18

    Default

    My question is this:
    Is this restricted IP access to wp-login.php going to be the new standard with GlowHost? . . . or is it simply a temporary response to the latest round of brute force attacks?

    I absolutely appreciate GlowHost's vigilance when it come to protecting our sites, but permanently restricting access to wp-login.php is not something I'd like.

  3. #3
    Matt's Avatar
    Matt is offline GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,325

    Default

    Quote Originally Posted by GDufresne View Post
    My question is this:
    Is this restricted IP access to wp-login.php going to be the new standard with GlowHost? . . . or is it simply a temporary response to the latest round of brute force attacks?

    I absolutely appreciate GlowHost's vigilance when it come to protecting our sites, but permanently restricting access to wp-login.php is not something I'd like.
    Hello GDufresne, welcome to our forums.

    We are not sure at this time if this is going to be the standard, but it may certainly become the standard if WordPress or Softaculous (or both) do not devise a solution to the problem with this software. It would be better if their software allowed the user to specify a different file or location for the admin area other than wp-login.php since this is the file the robots have been programmed to attack.

    Here is one such plugin that can possibly help:
    http://wordpress.org/plugins/rename-wp-login/

    It would also be good if their software allows the person installing it to password protect their wp-admin folder using Apache's htpasswd feature. htpasswd is simply what cPanel calls Password Protected Directories and all it does is enable this functionality in .htaccess to password protect certain areas of your site as you see fit.

    This method may actually be better because when these robots fail to login a set number of times, they will be automatically added to the server's blacklists in the firewall. This means if all users are using this method, there are lots of sites contributing to build the firewall rules against known bad robots.

    The reason this is not the default cure for the problem at this time, is because we don't have a way of doing this each time someone decides to install WordPress on their account using Softaculous auto-installer in cPanel, or if they do it by hand.
    Last edited by Matt; 01-19-2014 at 05:22 AM.
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | GlowHost's Facebook | Follow us on Twitter | GlowHost on Google+

  4. #4
    GDufresne is offline Nearly a Glow Sage
    Join Date
    Dec 2013
    Posts
    18

    Default

    Softaculous as the option to install "Limit log in Attempts" which if set up properly does a great job of locking out attacks. It can be set to lock them out for months I believe. While it logs the IP, I don't think it ads them to any sort of global database. The problem with adding them is that if a user simply forgets their password and keeps trying, they would be universally banned.

    THe solution would have to be that only IP's that attempt to get into a variety of sites would be added to the list.

    I've been using "Rename WP Login" for several days and it is both very easy to use and effective. I like the fact that if one forgets the new login URL the plugin can be removed via the cPanel or FTP and the site goes back to the default.

    The problem I've experienced is that disabling the wp-login.php seems to mess with some of the backup systems I use. I'm looking into this more deeply because it may have to do with the restrictions that GlowHost has applied and not the Rename plugin. I have some sites on other hosts I'm going to test it with.

  5. #5
    David I is offline Newbie
    Join Date
    Jun 2010
    Posts
    1,245

    Default

    Hello GDufresne,

    Unfortunately, not all install Wordpress from Softaculous especially with "Limit log in Attempts" feature.

    Latest news: the attack is gone and we removed the block.

  6. #6
    dadiehost is offline Newbie
    Join Date
    Apr 2014
    Posts
    5

    Default

    Thanks for the info.

  7. #7
    GDufresne is offline Nearly a Glow Sage
    Join Date
    Dec 2013
    Posts
    18

    Default

    I'll just chime in here: I've been using the "Rename WP Login" for about 3 months now on about 20 sites. Stops the brute force attacks cold. Once, out of hundreds, if not thousands, of "brute force" attempts they somehow found my renamed login page. In that case, the Limit login Attempts plugin blocked them out.

    Of course the first line of defense to to never have a user account in WordPress named "Admin" or "admin" and have a strong password.


  8. #8
    nomanali is offline Banned
    Join Date
    Aug 2015
    Posts
    40

    Default

    Yes GDufresne i agree with your statement that the first line of defense is to never have a user account in Wordpress named as "Admin"or "admin" and have strong password. Because hackers can easily break these kind of login passwords and leave you with nothing. And this thread is very informative indeed!

Similar Threads

  1. Referencing a PHP Class inside a PHP Include
    By rickpugh in forum Programming Talk
    Replies: 1
    Last Post: 01-22-2006, 08:30 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16