[wp-hackers] Admin Login Brute Force Attacks (Revisited)
Marko Heijnen
mailing at markoheijnen.nl
Sun May 19 23:54:04 UTC 2013
It is but not a lot. Also I can do IP based checks depending on the user role. Meaning you can't do everything webserver side.
Op 20 mei 2013, om 01:46 heeft Daniel <danielx386 at gmail.com> het volgende geschreven:
> Why would you do an IP based check on PHP? Isn't that a waste of CPU?
>
>
> On Mon, May 20, 2013 at 9:43 AM, Marko Heijnen <mailing at markoheijnen.nl>wrote:
>
>> I use for my site an PHP based ip check and do block some IP addresses for
>> wp-login.php and xmlrpc.php with Nginx rules
>> A lot of people always forget that XML-RPC is also a way to retrieve
>> passwords. Do say not used a lot but I would personally use that one.
>>
>>
>> Op 20 mei 2013, om 01:35 heeft Daniel <danielx386 at gmail.com> het volgende
>> geschreven:
>>
>>> Or you could just set it (as long as you are the only person who needs to
>>> log in and you got a static IP address) so that only 1 IP address can get
>>> to that file.
>>>
>>>
>>>
>>> On Mon, May 20, 2013 at 9:32 AM, Andrew Ozz <admin at laptoptips.ca> wrote:
>>>
>>>> Another good prevention measure is to set a simple htaccess password (or
>>>> equivalent) only for wp-login.php. Yeah, the users will have to enter
>> two
>>>> passwords when logging in (heh, pseudo 2-step authorization?), but the
>> bots
>>>> only hit Apache not getting to PHP at all. Works on most shared hosting
>> and
>>>> reduces server load.
>>>>
>>>> AuthType Basic
>>>> AuthName "[whatever]"
>>>> AuthUserFile "/path/to/.htpwd"
>>>> <Files "wp-login.php">
>>>> require valid-user
>>>> </Files>
>>>>
>>>>
>>>>
>>>> ______________________________**_________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<
>> http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list