.htaccess for entire /home to stop wp-login.php bruteforce ...feasible?

qwerty

Well-Known Member
Jan 21, 2003
215
2
168
Like for many others, our cpanel servers are getting hammered day in day out with wp-login.php login attempts.

Not on such a huge scale that they're causing trouble but I worry without any restrictions they're bound to brute force their way in to some of the customers' wordpress blogs.

This is NOT about mod_security - I am aware there are rules out there, but from what I've read they're either easily circumvented or create more issues then they solve.

What I had in mind was... putting a .htaccess in /home directly and specify directives in it such that whenever someone attempts to access wp-login.php anywhere under /home/ - they're subjected to a list of allowed IPs.

I can email my customers and get their static IPs to add to the list so that they're able to access wp-login.php

Is this feasible? What possible issues could I run into? Does Wordpress use wp-login.php for anything other than ADMIN login ... ie. do normal 'users' also use this script? (if so, then this would be a non-workable solution)
 

Infopro

Well-Known Member
May 20, 2003
17,091
516
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
You might find more help with questions like this on the wordpress support site. This link should be helpful, it mentions ideas like yours here:
/http://codex.wordpress.org/Hardening_WordPress

This is NOT about mod_security - I am aware there are rules out there, but from what I've read they're either easily circumvented or create more issues then they solve.
Disagree. You can never have too much security.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Yes, this would work (a .htaccess in /home) but it's a lot of work to manage. And yes, normal users, not just admins, use wp-login.php.

I've used modsecurity successfully to defend WP brutes on over 10,000 servers. simply put, it works.

Most of the new brute forces are using the xmlrpc.php call anyway, not wp-login. I'm also defending against the xmlrpc.php brutes with modsecurity very successfully.

New Brute Force Attacks Exploiting XMLRPC in WordPress | Sucuri Blog
 
Last edited: