I noticed a rather severe spike in CPU usage on my Mediatemple server, and dug in to see what was causing it. For an hour, someone was hammering the login form for my blog, accounting for 98% of all CPU usage for my account during the “attack”. That’s not OK (I have lots of CPU/bandwidth left, but it’s silly to leave a login form exposed to some kind of sustained script-kiddie “attack”).

Guess where the login form “attacks” are… I’m still only using 15% of my allotted CPU time overall, but wanted to stop this before it grew into something else.

I modified my .htaccess file to block all access to the wp-login.php file, unless you are referred to it by a super-top-secret page somewhere on the internet. I combined this tip with a bit adapted from this tip (which is something I already use to protect the University’s Feed2JS install from stupid casino spammers).

Anyway, here’s the trick to locking down your WordPress login form, without having to mess things up too badly.

# protect wp-login.php
<Files wp-login.php>
    Order deny,allow
    RewriteEngine  on
    RewriteCond %{HTTP_REFERER} !^http://secret-server.com/secret-login-page.html$ [NC]
    RewriteRule .* - [F]

You’ll want to change the bit that says “secret-server.com/secret-login-page.html” with a URL that holds a file you’ve created. That file will contain a hyperlink to the wp-login.php file on your blog. All attempts to access the login form will be refused, unless someone has followed the link from your secret login page first. Security through obscurity, sure. But the stupid script kiddies will be blocked, and it’s trivial to implement.

There are other tricks that block logins except for those coming from known IP addresses, but that assumes you don’t move around much. This works from any computer, as long as you remember your super-top-secret login link page…

5 replies on “protecting wp-login.php”

  1. If you cannot use /wp-login.php from any other page but your secret one anyway, it is way more simple and effective to rename the file wp-login.php (and a lot funnier to then place a honeypot at /wp-login.php that allows “login” for anybody). I don’t see a point in having to type example.com/super-secret-redirected-login.php to get to /wp-login.php if I could use /my-secret-renamed-login.php as well.

    1. a secretly-renamed wp-login.php would need to be rebuilt after every wordpress update, which would drop a fresh copy of the real wp-login.php file into the correct location. by letting htaccess etc… intercept it, there is nothing else to do after upgrading wordpress.

  2. I like the idea of this but it would be great if, instead of having to visit the dummy page and clicking a link on it to get to wp-login.php, if the page redirects to wp-login.php. That would save that added step of having to click the link. Do you think this is possible or is clicking the link from the dummy page required to qualify as a referral?

Comments are closed.