How to solve WordPress login hack attempts

By | March 28, 2016
How to solve WordPress login hack attempts

How to solve WordPress login hack attempts

How to solve WordPress login hack attempts

Today I will show you how one way how to stop wordpress login hack attempts without using a plugin.

This is my second post about WordPress ive decided to publish (you can see the first one here). Is not strictly about wordpress though and can be adapted for a variety of situations where you want to stop multiple unwanted requests to your web server.

If you are like me and do not want to add another plugin to bloat your wordpress installation even more then this is one method you can use to block (or redirect) persistent ips from trying to log in.

Firstly you obviously know that this is happening probably from your apache or nginx access logs. I will focus on apache for this tutorial. In the access logs you will see something like this –

1.2.3.4 date time "POST /wp-login.php HTTP/1.1" 200 3813 etc etc

In the example above the 1.2.3.4 is the ip address of the user attempting to login. So you now want to get a list of ALL ip addresses doing it –

grep "POST /wp-login.php" | awk '{print $1}' | sort | uniq

the awk prints the first column which contains the ip address. sort and uniq is a simple way to remove duplicate ip addresses from your output.

the .htaccess file is the key to blocking these ip addresses, or what I have decided to do on one of my domains is to redirect them to a paying url through shorte.st which might earn me a few $ who knows. To add the redirect into .htaccess you need this –

Check out -  Background Bash Script - Push bash script to background

For each line you then need to generate something like this for each record –

RewriteCond %{REMOTE_ADDR} ^1\.2\.3\.4 [OR]
RewriteCond %{REMOTE_ADDR} ^2\.3\.4\.5 [OR]
RewriteCond %{REMOTE_ADDR} ^3\.4\.5\.6

Notice the last one does not have the OR on the end.

Heres a quick hack script based on the previous grep to make the total list (in BOLD I have added an exclusion grep for you to add your own ip address and anyone else you DO want to let have access) –

grep "POST /wp-login.php" | awk '{print $1}' | sort | uniq | grep -v -E "ENTER YOUR IP ADDRESS AND ANY OTHERS YOU WANT TO EXCLUDE FROM THIS RULE | SEPERATED" | while read LINE ; do
echo "RewriteCond %{REMOTE_ADDR} ^${LINE} [OR]"
done | sed "s/\./\\\./g"

Now you can edit your website .htaccess and paste in the rows the script above has produced (remember to ignore the OR on the last record) –

RewriteEngine on
--enter all your records here
RewriteRule wp-login\.php http://sh.st/TI9m1 [R,L]

for testing it is probably a good idea to add your own IP address in the .htaccess file so you can prove it works as you want, and then remove it after you are happy.

This is just 1 solution out of probably many, and may not suit everyone, but hope it helps someone !

Have fun blocking those hackers (and maybe making some cash when they go through your redirect link as well) !!

Check out -  How to get more detail of worked or failed login attempts

Leave a Reply