Modifying and/or removing wp-login.php Block

[Michael D.]

We have had to place some blocks for wp-login.php on affected accounts in some cases. Here are two such examples:

http://forums.mddhosting.com/topic/979-wordpress-wp-login-brute-force-kobold-server-update-boreas-and-jasmine/

http://forums.mddhosting.com/topic/1028-distributed-wp-loginphp-attack-affecting-echo-and-boreas-blocks-put-in-place/

 

We have, to ensure server stability and account speed, blocked access to the wp-login.php for any affected accounts. You can, however, allow yourself in and, if needed, remove the block entirely.

We created, if it did not exist, or appended to the /home/your-cpanel-username/.htaccess file the following lines:

 

This is not in /public_html/.htaccess. It *is* in /.htaccess.

# The following lines have been put in place by your hosting provider as your site was under a brute force dictionary attack.
# You can provide yourself access to the wp-admin by adding an "Allow from" line with your IP address before the "Deny from all" line.
# If you need to allow multiple users in you can remove the following lines entirely if you need or you can add multiple "Allow from" lines.
#
# If you have any questions about this at all, do please get with your hosting provider for support.
#
<Files "wp-login.php">
Order Allow,Deny
# Uncomment the following line and change the number to your IP address.  You can find your IP address at http://www.whatismyip.com/
# Allow from 123.456.789.012
Deny from all
</Files>
#
#
# End of brute-force block.  If you do wish to remove the block entirely do not remove beyond this line.

You can remove the "#" from the beginning of the 10th line and change the number "123.456.789.012" to your IP address [ http://www.mddhosting.com/whatismyip.php / http://www.whatismyip.com/ ]. This will permit you the ability to log into your WP-Admin while keeping attackers out.

You can make these changes via FTP in the "/" folder you will see a file called ".htaccess" or you can do it via the cPanel -> File Manager [also in "/"] but you may need to set it to show hidden files.

Do please understand that if your wp-login.php has been blocked with this code it is because your site was under attack by bots trying to guess your passwords. We hate to make modifications to client accounts, however, in this case we have been forced to do so to ensure server stability.

If you have any questions at all about this do not hesitate to ask. If the question is specific to your account it is likely best if you open a new support ticket and reference this thread.

[Leah2]

As usual MDD is doing a great job!

 

Is there any chance of changes like these going out to affected accounts in an email blast in the future? Kind of a heads up? I know you can't do it for every issue...

 

Thanks again,

 

L

[HelgeSverre]

Really nice work guys, although I'd like to be notified of this next time.

[Nora]

Thanks a lot for the very clear instructions (even a newbie like me was able to follow!)

 

I still have a question. I installed the Rename wp-login.php plugin as suggested, do I need to remove the block entirely now or should I leave it? What are the consequences of one or the other option? Okay, that's 2 questions

[Randy A]

My site was one affected ... and I'm happy that Michael and the team at MDD stepped in to help protect my site!

 

I've now updated my site to rename the wp-admin.

[brent]

Really nice work guys, although I'd like to be notified of this next time.

Yeah. A notification (email most probably) to affected clients would be nice.

[Michael D.]

Yeah. A notification (email most probably) to affected clients would be nice.

Working on it. That said taking your wp-admin offline is better than simply letting your whole site go offline or suspending the whole account to prevent collateral damage .

[tgl]

Now that the plugin originally recommended by MDD is no longer supported: http://d.pr/i/1kjWv what are customers to use to avoid the secondary authentication that gets applied when you try to access /wp-admin?

 

It's not feasible for sites that welcome public registration (e-commerce sites for example) to have to deal with the second layer security and try to add additional user names with passwords.

[Michael D.]

Now that the plugin originally recommended by MDD is no longer supported: http://d.pr/i/1kjWv what are customers to use to avoid the secondary authentication that gets applied when you try to access /wp-admin?

We simply made our users aware of the plug-in as it appeared to fix the issue at the time. It is unfortunate that the developer has discontinued the plugin and I do not have any recommendations on a replacement.

 

You would need to put some research into plugins to protect yourself if the need arose.

 

It's not feasible for sites that welcome public registration (e-commerce sites for example) to have to deal with the second layer security and try to add additional user names with passwords.

Nobody is forcing it - if you want to stay under brute force attack you can remove the password protection. Understand your site may become slow and/or completely unresponsive under the load of such an attack without proper optimization.