Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Protecting yourself against Wordpress hackers
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Protecting yourself against Wordpress hackers

jhjh Member
edited April 2013 in General

I'm sure most of you know about the recent Wordpress hacks.

I found a few lists and collated .htaccess content. Hope it helps someone - just copy/paste into your .htaccess if you use Apache or otherwise adapt for Nginx etc.

No guarantees this'll help etc., but hopefully it'll reduce the chances.

http://www.sysadmin.co.uk/wp-block.txt

«13

Comments

  • jarjar Patron Provider, Top Host, Veteran

    Nice. Cloudflare also seems pretty confident in their ability to deflect a good percentage of it. I've given them the opportunity to impress me.

  • Try this :
    http://www.ilmuserver.com/knowledgebase.php?article=4

    Well, it's indonesian language there, but .htaccess written clear there.

  • Do you mean hackers by bruteforcing passwords and so?
    Or you mean by vulnerabilities

    And TBH I am not informed about that hacks :S

  • jhjh Member

    I mean bruteforcing.

  • MunMun Member

    They are attacking a single user name "admin", so remove admin in mysql after making a backup.

  • jhjh Member

    @Mun said: They are attacking a single user name "admin", so remove admin in mysql after making a backup.

    Not what I heard.

  • MunMun Member

    "There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords."

    as per: http://blog.cloudflare.com/

  • BenediktBenedikt Member
    edited April 2013

    Good way to protect it with NGINX (credits to whoever did this, I don't have the source anymore):

    `if ( $request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444;
    }

    location ~ /(.|wp-config.php|liesmich.html|readme.html) {
    return 444;
    }

    location ~ ^/(\d+)/$ {
    return 301 /?p=$1;
    }

    location = /wp-login.php {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/htpasswd;
    include fastcgi_params;
    fastcgi_index index.php;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_split_path_info ^(.+.php)(/.+)$;
    }`

  • Just block all access to wp-admin - problem solved.

  • jarjar Patron Provider, Top Host, Veteran

    @MartinD said: Just block all access to wp-admin - problem solved.

    That's like not sailing in a storm. Where's your sense of adventure!?

  • jhjh Member

    @Mun said: "There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords."

    I saw a list of usernames/passwords earlier and they weren't all admin. Possibly multiple groups trying...

    @MartinD said: Just block all access to wp-admin - problem solved.

    There needs to be some access control - you can't just block it completely. If you don't have a static IP, it's a useful list.

  • http://bit51.com/software/better-wp-security/

    Suppose this is considered cheating or lazy.

  • MunMun Member

    anyone put up a small wordpress install on a vps and have admin and pass as the setup and see what they are changing?

  • marcmmarcm Member

    @jhadley - I have found it much more convenient to simply add an additional layer of protection using a .htpasswd file. Of course, we're using Nginx so we could call that file anything. I'd recommend the same for you since it's easier than keeping track and adding new IP addresses to that list.

  • Try this free service by IP2Location perhaps?
    http://www.ip2location.com/free/visitor-blocker

  • MunMun Member

    @DalComp said: Try this free service by IP2Location perhaps?

    http://www.ip2location.com/free/visitor-blocker

    sadly it is a botnet, so they are located everywhere. Meaning there would still be some applicable terminals hitting it.

  • dnwkdnwk Member

    Is there a way in wordpress to only allow login using OpenID?

  • sadly it is a botnet, so they are located everywhere. Meaning there would still be some applicable terminals hitting it.

    Still quite useful list of IPs, if you decide a certain country possess greater risk.

  • SyedSyed Member

    I go the opposite route and whitelist instead.

    Much easier(at least for me, since I have a static IP, and so does the person I work with).

  • I've had good luck with the Wordfence Security plugin --

    http://wordpress.org/extend/plugins/wordfence/

    I have it temporarily block any IP who has multiple login failures, temporarily. YMMV

  • +1 for wordfence

  • gqservgqserv Member
    edited April 2013

    one way is enable http auth on admin.php through .htaccess or nginx host file.

    we also set this cron daily job that blocks spam ips on our proxy gateway.

    http://bash.cyberciti.biz/web-server/nginx-shell-script-to-block-spamhaus-lasso-drop-spam-ip-address/

  • twaintwain Member

    @jhadley - would you think it would be beneficial to blacklist these IP's via iptables as well?

  • rds100rds100 Member
    edited April 2013

    @twain blacklisting thousands of IPs via iptables is a good way to make your server very slow.
    Better use ip route add blackhole x.x.x.x

    Or:


    for i in cat badips.txt ; do
    ip route add blackhole $i
    done
  • superpilesossuperpilesos Member
    edited April 2013

    Force https for wp-login.php. they don't attempt to bruteforce https.

  • twaintwain Member

    @rds100 - OK cool that does sound like a better way.. you're missing some backticks on the for loop no?

  • wordfence works good, also i have blocked many ips on the .htaccess

  • rds100rds100 Member
    edited April 2013

    @twain said: @rds100 - OK cool that does sound like a better way.. you're missing some backticks on the for loop no?

    Yes, they got missing somehow, i'll edit it now.
    Hmm no, the backticks are there, but vanilla is eating them. Even PRE doesn't help it seems.
    Does anyone have an idea how to display the backticks?

  • budingyunbudingyun Member
    edited April 2013

    I'm enabling this option LF_DSHIELD, LF_SPAMHAUS, LF_SPAMHAUS_EXTENDED, LF_TOR, LF_BOGON in CSF and the SSH bruteforce attempt drastically reduced. :D

Sign In or Register to comment.