[wp-hackers] Admin Login Brute Force Attacks (Revisited)

Marko Heijnen mailing at markoheijnen.nl
Sun May 19 23:43:56 UTC 2013


I use for my site an PHP based ip check and do block some IP addresses for wp-login.php and xmlrpc.php with Nginx rules
A lot of people always forget that XML-RPC is also a way to retrieve passwords. Do say not used a lot but I would personally use that one.


Op 20 mei 2013, om 01:35 heeft Daniel <danielx386 at gmail.com> het volgende geschreven:

> Or you could just set it (as long as you are the only person who needs to
> log in and you got a static IP address) so that only 1 IP address can get
> to that file.
> 
> 
> 
> On Mon, May 20, 2013 at 9:32 AM, Andrew Ozz <admin at laptoptips.ca> wrote:
> 
>> Another good prevention measure is to set a simple htaccess password (or
>> equivalent) only for wp-login.php. Yeah, the users will have to enter two
>> passwords when logging in (heh, pseudo 2-step authorization?), but the bots
>> only hit Apache not getting to PHP at all. Works on most shared hosting and
>> reduces server load.
>> 
>> AuthType Basic
>> AuthName "[whatever]"
>> AuthUserFile "/path/to/.htpwd"
>> <Files "wp-login.php">
>> require valid-user
>> </Files>
>> 
>> 
>> 
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list