I have a self-hosted WordPress blog, and for weeks someone has been trying log in as admin. I’m looking for a way to stop it. Since I started blocking the originating IP address, the attempts started coming from many IPs but in batches of three or four tries at 10 minute intervals – so it’s obviously one person and I guess they’re using a botnet.
I use several security steps and keep all plugins up to date. WordPress is itself automatically kept up to date nowadays, of course.
These are not all my security actions, but I have …
– “Limit Login Attempts” plugin, but the switching around of the IP address by the hacker meant that this didn’t have much effect.
-
I password-protect the wp-admin directory with htaccess and htpasswd. Since this had been in place for a long time, I just changed that directory access user name and password, but that made no difference, he still gets to the login dialog.
-
Of course, my WP admin account is not called ‘admin’ and I deleted the original admin a/c.
-
For a while, I even tried renaming wp-login.php, and moved wp-admin out of the blog’s directory. It’s quick and easy for me to reverse this when I want to blog or make changes. But Limit Login Attempts still reported attempts – 21 since I renamed/moved these. How is that possible? I’ve now returned these to the normal place.
-
I added this to .htaccess in the blog’s main directory (where nnn etc is my fixed IP and example.com substitutes for the real domain):
RewriteCond %{REMOTE_ADDR} !^nnn\.nnn\.nnn\.nnn$ RewriteRule ^wp-(login|register)\.php http://www.example.com/blog/ [R,L]
-
and I added a variation of that to .htaccess in the blog’s wp-admin directory:
RewriteCond %{REMOTE_ADDR} !^nnn\.nnn\.nnn\.nnn$ RewriteRule ^wp-admin.*?$ http://www.example.com/blog/ [R,L]
When I try to log in from a different IP address via wp-login.php, the first htaccess correctly shunts me straight to the blog’s front page. Equally, when I try to access wp-admin from that different IP address, the second htaccess takes me straight to the blog’s front page as it should. Only when I try to log in from my fixed IP do I see the request for the directory access passwd, and then the WP login page.
And yet the hacker is able to reach the login dialog. He’s not managed to actually log in yet, I run WordPress File Monitor and see no unexpected file changes, and he hasn’t discovered the real admin username – but I can’t be complacent.
So, can anyone help me understand :
-
How is it that the hacker can still reach the login page? Even when wp-login.php and wp-admin were temporarily renamed / moved? I cleared the cache and turned supercache off days ago (and renamed wp-super-cache) in case pages in cache were allowing them to reach it.
-
What can I do to stop this? I have full access to the parent site (shared hosting) and MySQL database.
2 Answers
One thing you can do is if you don’t have membership website then make it such that wp-admin/wp-login can be open through your IP address and block all other IP address. But make sure that you don’t have membership website (No other subscribers/publishers that can login. Only you are the person to log in.)
The other thing you can do is use “CDN” like cloudflare which will filter the IPs before reaching to your server. This make your site fast as well.
Hope this helps.