In recent weeks, we have observed a significant number of attacks on login forms for CMS administration panels among our hosting customers and on websites on VPS under our management. This mainly involves Joomla.org/administrator and Wordpress.org/wp-login.php. Our Shared hosting runs on powerful servers, so even 8,000 brute force attempts won’t crash the server, and the sites will still load. An attack on Joomla login puts a load on the server but not as severely as an attack on WordPress login. Hosting customers might notice a slight slowdown of their sites. However, a customer with a VPS server running multiple WordPress sites might experience downtime. Let’s now look at how to repel such attacks from the website side.
1) Unknown Address
Everyone knows the login addresses for WordPress, Joomla, Drupal, etc. It’s advisable to change the login address. For example, the PrestaShop system prompts you to change the /admin directory to something else immediately after installation.
2) Restrict Access by IP Address
Create a .htaccess file in the directory with the login page and add:
Order Deny,Allow
Deny from all
Allow from 178.238.41.70
This means that the pages in the directory with this .htaccess file can only be accessed from the IP address 178.238.41.70.
3) Duplicate Access Authentication with Basic Access Authentication
Create a .htaccess file in the directory with the login page and add:
<Files wp-login.php>
AuthType Basic
AuthName "My Protected Area"
AuthUserFile /data/web/virtuals/yourdomain.com/.htpasswd (Specify the absolute path to the .htpasswd file)
Require valid-user
</Files>
The .htpasswd file defines which login and password can access the page. Create a .htpasswd file in the directory with the login page and add login. The password must be encoded in MD5. If you don’t know how to encode the password, you can use an online generator: htpasswd generator.
An entry for user "admin" with the password "test" in the .htpasswd file will look like this:
admin:$apr1$GZJSVSSc$e4D5afSeOTn8ZogplYw9d1
4) Blocking the XMLRPC Function
XML-RPC is a protocol that allows for remote procedure calls. Although it didn't bring new technology to remote procedure calls, it provides a set of rules on how to use already functional and standardized technologies for RPC needs. Data is encapsulated using XML (eXtensible Markup Language) and transferred via HTTP. This allows applications written in different programming languages to communicate between different computer architectures and operating systems. However, attackers can use this function to launch massive attacks on WordPress, making the entire server unavailable.
In the root directory, create a .htaccess file and add:
<files xmlrpc.php>
order allow,deny
deny from all
</files>
<files wp-cron.php>
order allow,deny
deny from all
</files>
Methods 2 and 3 shift the attack load from the web pages to .htaccess, significantly reducing the web server's load. The spread of spambots is alarming, and any measure that makes their job harder is welcome.
Recommendations
-
A strong password should be at least 8 characters long, include both uppercase and lowercase letters, numbers, and a symbol that isn't found on the keyboard. Another option is an extra-long password like "youllneverrememberthispassword".