Forum Topic: Still getting through security wall?

Forum: .htaccess Forum : Security • Posted by Jeroen • Updated:

Jeff, I don’t know where else to ask, but since it’s your hobby anyway ;)

I need some help from you to protect my website against our lovely fellow earth-lings. They are very actively scanning for login for some days now. I have hidden my WP login with a rewrite rule using a custom slug and it denies direct access to wp-login.php and wp-admin. It works well, but sometimes I see a 200 status code on wp-login.php.

Look at this

mx-ll-180.183.65-11.dynamic.3bb.co.th - - [06-aug-2013:04:59:32 -0500] "POST /wp-login.php HTTP/1.1" 418 5
mx-ll-180.183.65-11.dynamic.3bb.co.th - - [06-aug-2013:04:59:32 -0500] "POST /wp-login.php HTTP/1.1" 418 5
178.127.229.174 - - [06-aug-2013:04:59:43 -0500] "POST /wp-login.php HTTP/1.0" 406 226
segment-223-30.sify.net - - [06-aug-2013:04:59:44 -0500] "POST /wp-login.php HTTP/1.0" 406 226
177.159.93.105.dynamic.adsl.gvt.net.br - - [06-aug-2013:04:59:52 -0500] "POST /wp-login.php HTTP/1.0" 406 226
190-203-122-147.dyn.dsl.cantv.net - - [06-aug-2013:05:00:07 -0500] "POST /wp-login.php HTTP/1.0" 406 226
190-203-122-147.dyn.dsl.cantv.net - - [06-aug-2013:05:00:07 -0500] "POST /wp-login.php HTTP/1.0" 406 226
9.56.234.111.ap.yournet.ne.jp - - [06-aug-2013:05:00:14 -0500] "POST /wp-login.php HTTP/1.0" 406 226
9.56.234.111.ap.yournet.ne.jp - - [06-aug-2013:05:00:14 -0500] "POST /wp-login.php HTTP/1.0" 406 226
9.56.234.111.ap.yournet.ne.jp - - [06-aug-2013:05:00:14 -0500] "POST /wp-login.php HTTP/1.0" 406 226
em49-252-73-19.pool.e-mobile.ne.jp - - [06-aug-2013:05:00:22 -0500] "POST /wp-login.php HTTP/1.0" 406 226
95.57.143.218.megaline.telecom.kz - - [06-aug-2013:05:00:24 -0500] "POST /wp-login.php HTTP/1.0" 406 226
41.73.235.10 - - [06-aug-2013:05:00:33 -0500] "POST /wp-login.php HTTP/1.1" 200 3342

or otherwise this http://www.tiikoni.com/tis/view/?id=3dca8cc

Does the 200 status mean that they found a way to have direct access to wp-login.php?

And why is it inconsistent? The top lines say that they found my beautiful 418 page, but later they went right through. That they managed to go to the 418 page I also don’t understand, because I use that only with a 301 redirect on the slug ‘administrator’ (after many attempts use this slug).

What should I make out of this and should I worry a lot / little bit / not at all?

Thanks as always.

3 Replies to “Still getting through security wall?”

Posted by Jeff Starr

Hmmm very interesting… which .htaccess rules are you using for the login page? (feel free to change any sensitive infos) That will help in figuring out what might be happening here..

Posted by Jeroen •

Thanks Jeff, for looking into it again. I use this code to hide my login

<IfModule>
RewriteRule ^welcome/?$ /wp-login.php?hfyrj5nsh3hd78hjg [R,L]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$

RewriteRule ^welcomeadmin/?$ /wp-login.php?hfyrj5nsh3hd78hjg&redirect_to=/wp-admin/ [R,L]
RewriteRule ^welcomeadmin/?$ /wp-admin/?hfyrj5nsh3hd78hjg [R,L]
RewriteRule ^regi~N0tpo551bl.3/?$ /wp-login.php?hfyrj5nsh3hd78hjg&action=register [R,L]

RewriteCond %{SCRIPT_FILENAME} !^(.*)admin-ajax\.php
RewriteCond %{HTTP_REFERER} !^(.*)example.com/wp-admin
RewriteCond %{HTTP_REFERER} !^(.*)example.com/wp-login\.php
RewriteCond %{HTTP_REFERER} !^(.*)example.com/welcome
RewriteCond %{HTTP_REFERER} !^(.*)example.com/welcomeadmin
RewriteCond %{HTTP_REFERER} !^(.*)example.com/regi~N0tpo551bl.3
RewriteCond %{QUERY_STRING} !^hfyrj5nsh3hd78hjg
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{QUERY_STRING} !^action=register
RewriteCond %{QUERY_STRING} !^action=postpass
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^.*wp-admin/?|^.*wp-login\.php / [R,L]

RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule ^.*$ /wp-login.php?hfyrj5nsh3hd78hjg [R,L]
</IfModule>

Those mad people are trying to get in more than 1600 times a day, but the firewall is still holding.

There are a lot of requests for POST /wp-login.php HTTP/1.0. I’m using HTTP/1.1. Is there a way to get them to /error/418.php instead of 406 ;)

Thanks again, Jeff

Posted by Jeff Starr

Yeah what is it that’s sending the 406, 418, and other custom responses? That will factor into the equation.. (interesting .htaccess rules btw!)