Michael D. Posted September 3, 2014 Report Share Posted September 3, 2014 Hello! WordPress suggests password protecting the wp-login.php file using htpasswd. This is not a terribly difficult task but, with cPanel, is something that has to be done manually as cPanel does not have any way to protect just a single file and only folders. The details of how to put this block in place can be seen on the Official WordPress Codex at http://codex.wordpress.org/Brute_Force_Attacks#Password_Protect_wp-login.php We have written an internal script that can perform all of the steps necessary to protect your wp-login.php against brute force attacks. We can execute this upon request on any account, however, we will also be replacing our wp-login.php block with this wp-login.php password protection moving forward. This means that if your site comes under attack and is not already password protected that we will password protect it and notify you of the username and password so that you can still access your site normally while locking out bots/attacks. Once the password protection is in place it is possible to add users and modify passwords from the cPanel interface and I will be creating a knowledgebase article showing how to do this step-by-step including pictures later today. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted September 3, 2014 Author Report Share Posted September 3, 2014 The knowledgebase article about how to add users, modify existing users, and remove users from the password protection has been created and can be seen here: http://www.mddhosting.com/support/knowledgebase/1024/Adding-modifying-and-removing-users-from-wp-loginphp-protection.html Quote Link to comment Share on other sites More sharing options...
Dehenderson Posted September 3, 2014 Report Share Posted September 3, 2014 Does this action supersede using the plugin, rename-wp-login? Quote Link to comment Share on other sites More sharing options...
Michael D. Posted September 3, 2014 Author Report Share Posted September 3, 2014 It protects wp-login.php via password protection - it would take affect before anything else. Just as you would protect a folder - this is protecting only this one file which is the target of the brute force attacks. Quote Link to comment Share on other sites More sharing options...
cziv Posted September 5, 2014 Report Share Posted September 5, 2014 This is a wrong approach, i don't want anyone to mess with my websites, especially with passwords etc etc. Also many WP are public for registrations, or have Editor accounts. There are PLENTY of modules that protect WP-Login and work great. Why not installing something like that and be safe. I don't get it. for example, this is one the great plugins. http://www.thewhir.com/web-hosting-news/automattic-acquires-bruteprotect-block-wordpress-brute-force-attacks BruteProtect is a cloud-powered Brute Force attack prevention plugin and the best protection against botnet attacks. https://wordpress.org/plugins/bruteprotect/ Quote Link to comment Share on other sites More sharing options...
Michael D. Posted September 6, 2014 Author Report Share Posted September 6, 2014 This is a wrong approach, i don't want anyone to mess with my websites, especially with passwords etc etc. Also many WP are public for registrations, or have Editor accounts. There are PLENTY of modules that protect WP-Login and work great. Why not installing something like that and be safe. I don't get it.We aren't just going around throwing it on sites willy nilly. Here are some examples from customers we've contacted when we put this in place:Of the last 7406 page views, 7383 have been to your wp-login.php.Of the last 5642 page views, 3855 have been to your wp-login.php.Of the last 4944 page views, 4730 have been to your wp-login.php.Of the last 15325 page views, 15277 have been to your wp-login.php.Of the last 30614 page views, 26851 have been to your wp-login.php. Those are real values taken right from the last 5 tickets we opened with customers concerning their sites being under attack. We're talking about requests over minutes - not days, weeks, or months. It's enough that if action isn't taken it will take your site offline. There are two issues facing most brute-force plugins:1. They tend to require multiple failed attempts from a single IP. The problem? Most of these attacks are done from 100,000s of individual IPs. Have 20,000 attempts to log into your wp-admin? You'll see 20,000 distinct IP addresses.2. They all require a fair bit of CPU as far as PHP and MySQL that makes them work. So yes - maybe they'll keep your login safe - but they'll potentially take your site down under the load of such a large attack. Now distributed brute force protection is great - the only problem is that you also face the CPU and possible network load of such plugins. Get hit by 100,000 bots in 5 minutes? You're probably still going to be offline even if they don't get into your WP-Admin. Password protection [or] simply limiting access to wp-login.php by IP address are ultimately the best ways to fend off attacks if it is possible for your particular site - if they can't even post data to the file, they stand no chance of ever getting in. There are, obviously, sites where this won't fit and if we end up putting this protection on such a site and the site holder lets us know we'll remove it no problem and will also make it so that it can't happen again but, that said, if they don't do something on their own to prevent it they're going to face further problems. Quote Link to comment Share on other sites More sharing options...
Trader Joe Posted May 25, 2015 Report Share Posted May 25, 2015 Since I use rename wp-login.php wordpress plugin I don't have to worry anymore and feel that I my wordpress sites are better secured. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.