protecting wp-login.php


I noticed a rather severe spike in CPU usage on my Mediatemple server, and dug in to see what was causing it. For an hour, someone was hammering the login form for my blog, accounting for 98% of all CPU usage for my account during the "attack". That's not OK (I have lots of CPU/bandwidth left, but it's silly to leave a login form exposed to some kind of sustained script-kiddie "attack").

Guess where the login form "attacks" are... I'm still only using 15% of my allotted CPU time overall, but wanted to stop this before it grew into something else.

I modified my .htaccess file to block all access to the wp-login.php file, unless you are referred to it by a super-top-secret page somewhere on the internet. I combined this tip with a bit adapted from this tip (which is something I already use to protect the University's Feed2JS install from stupid casino spammers).

Anyway, here's the trick to locking down your WordPress login form, without having to mess things up too badly.

# protect wp-login.php

    Order deny,allow
    RewriteEngine  on
    RewriteCond %{HTTP_REFERER} !^http://secret-server.com/secret-login-page.html$ [NC]
    RewriteRule .* - [F]

You'll want to change the bit that says "secret-server.com/secret-login-page.html" with a URL that holds a file you've created. That file will contain a hyperlink to the wp-login.php file on your blog. All attempts to access the login form will be refused, unless someone has followed the link from your secret login page first. Security through obscurity, sure. But the stupid script kiddies will be blocked, and it's trivial to implement.

There are other tricks that block logins except for those coming from known IP addresses, but that assumes you don't move around much. This works from any computer, as long as you remember your super-top-secret login link page...

comments powered by Disqus