Wednesday, May 29, 2013

Attack-bots Hitting Wp-Login on Wordpress Sites

I've noticed in my log recently that thousands of bots have been hitting wp-login.php repeatedly, despite being served 403 pages. I am not sure of the motivation of the attackers. However, thousands of hits on a .php file certainly can be a drain on system resources.

I developed a simple method of reducing the impact of wp-login attackers. After my deny-froms, I placed the following code in my .htaccess file. It is useful for Wordpress sites that do not permit users other than the administrator to log in, and where the admin uses a static IP address, which is an ideal scenario for security purposes. I should note that wp-login is specifically disallowed in my robots.txt and that there is no link to it on the Wordpress site in question. Thus, my code will not ensnare rule-abiding bots such as Google's.

My code is not applicable to all Wordpress sites. Some WP sites let users register and log in. I opted not to go that route, because our site is such a small one that I doubt anyone would remember their password. Our users can leave a comment by logging into a popular social media site.

#Block WP attackers
RewriteEngine on
RewriteBase /
RewriteCond %(REMOTE_ADDR) !^www\.xxx\.yyy.\zzz
RewriteCond %{REQUEST_URI} ^/wp-login [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-admin [NC,OR]
RewriteCond %{REQUEST_URI} ^/install.php [NC]
RewriteRule .* - [F,L]
Place any static IP addresses that admins use in the above code (where www.xxx.yyy.zzz is). The code should exclude the IP addresses of legitimate users--admins--who log-in to the site. One could exclude multiple IP addresses by adding more conditional lines.

The first conditional statement checks the IP address. If it does not match (indicated by the exclamation mark), then if the user is requesting the wp-login, wp-admin, or install page, that user is redirected to the 403 page. All of this happens without engaging the database or invoking any php code, so it is fast and efficient and minimizes the toll of the attack bots on system resources. I have banned the IP addresses of the vast majority of these attackers, but I notice a certain percentage do slip through with novel IP addresses, so this is a way of preventing them from forcing the server to load and interpret wp-login.php.

My 403 page consists of a mere 500-odd bytes with links intended to tempt bots to visit various spam-bot hells around the Internet, where they may encounter honeypots, investigators, bogus email addresses, bogus links, and in general waste a lot of their time and effort and generate no data of any use at all to them.

No comments:

techlorebyigor is my personal journal for ideas & opinions