Subject: Wordpress Joomla Brute Force Attack wp-login.php administrator
The following message was sent by our staff regarding the above subject:
Has your site been targeted by a specific IP or various IP's? Notice they are targeting a specific file? For the most part the targets are usually credential related like login pages and can be avoided.
Excessive requests to one specific file can cause a server overload and now your site is offline indefinitely due to server reboot and potentially administrative action to stabilize the server.
We suggest adding these lines to your existing .htaccess file or creating an .htaccess file. In this example we are using the file associated with WordPress and it's login page. This file can be modified for any file that may be at risk of being targeted.
Please try the following code (which will have to be modified) and or consulting Wordpress Support for further help:
<FilesMatch "^(wp-login|xmlrpc)\.php$">
Order Allow,Deny
#(replace with YOUR IP)
Allow from 123.123.123.123
#additional lines can be added from multiple IP access
#Deny from all
</FilesMatch>
Wordpress has published their own advice, plugins, methods, tools and otherwise to help with this problem.
Please feel free to try these methods as well:
http://codex.wordpress.org/Brute_Force_Attacks
Please use this code for Joomla in your /joomla-directory/administrator/.htaccess file:
<FilesMatch index.php>
Order Allow,Deny
#Allow from 123.123.123.121
Allow from 123.123.123.123
#additional lines can be added from multiple IP access
#Deny from all
</FilesMatch>
This should protect this file and only allow specified IP(s) access. This code can also be duplicated and modified to protect other files on your account.
For a 2-Step protection method, use the [Secure Directories] tool inside your Hosting Control Panel to create a username/password login for your Wordpress or Joomla installation so that it has an additional layer which must be logged into to make administrative changes.
Note:
If you block access to wp-login.php or /administrator/index.php as suggested above but are also using the [Custom Error Pages] tool that it may subvert the IP locking process and if your site is involved in a crash, it may be removed by support. This mostly applies to Forbidden requests, or others that redirect to your home page as this causes the attacker to repeatedly load that page instead of being stopped.
This can be verified by removing your IP (that you added) and trying to access the target file. If you're blocked, then you are safe. If not, then your redirect is interfering and should be removed.
Please feel free to contact us again if you have any other questions or issues. Thank you for contacting us.
Best regards,
WEBMASTERS.COM
Support Team |