Prevent wp-login.php via .htaccess without increasing server load

  • Dear WordPress community,

    I need some help from the fantastic programmers around here…

    After a brute froce attack trying to login into my administration area I added following code to my .htaccess:

    # protect wp-login.php
<files wp-login.php>
order deny,allow
deny from all
allow from xx.xxx.xxx.x
</files>

    It seems to work perfect for me. I can login from my own IP, and it denies anybody else.

    However, I now receive dozens of 404 error messages on a daily basis like this one:

    “A user tried to go to https://www.sitename.com/wp-login.php?action=register and received a 404 (page not found) error.”

    To check this, I tried to login via a proxy, not using my own (allowed) IP which led to a WordPress loop searching and redirecting until it displayed the 404 page.

    This means that although I have succeeded to deny access to unwanted bots and people who try to login into administration, above code seems not be reducing server load.

    I have found in another forum a similar code:

    <files wp-login.php="">
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
ErrorDocument 403 ""
</files>

    This code is adding Errordocument 403. But I don’t know what this means. I’m not a programmer and don’t want to mess up with my .htaccess.

    Therefore my question.. What is the correct code for .htaccess to blog bots which are using thousands of different IP addresses from accessing wp-admin without increasing server load?

    The goal is not only to harden WordPress and deny unwanted access to the admin panel but also to decrease unneccessary use of server resources.

Viewing 2 replies - 1 through 2 (of 2 total)

  • I do not know enough to explain this, but here is some code I use that I have been told diverts any login attempts that do not begin at a page at your site…

    # BEGIN stop certain brute-force login attempts
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
## note: change mysite.com in the next line and remove its #
#RewriteCond %{HTTP_REFERER} !^https://(.*)?.mysite.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
# END stop certain brute-force login attempts

    Try adding that code just above your wp-login blocker (or maybe after it or maybe even replacing it) and I think you will see a dramatic difference.

    The above code worked for me, but now when someone logs out of wordpress they get the 403 error message as well. Are they actually being logged out? Could you please create a version that allows wp-login.php?action=logout to work?

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Prevent wp-login.php via .htaccess without increasing server load’ is closed to new replies.