In the latest months me and a lot of my friends noticed that our sites was under atack. Exactly our wordpress login page become the most traficated page of web site (with up to 10.000 visit per day and counting).
So we’ve decided to keep safe and we had installed several plugin, the ones that checks for file modification on server (if some one gather unwanted access to the server and changes some file then we got a message), the one to lock surfers that makes too much requests in a given gap of time (flooding), the one that locks users when ecxeed the number of wrong password for a known/unknown user (hacking the login page) and so on!
However the server resources becomes limited against the number of plugins installed and the checks they have to do before serve a page to the end user causing delay and lack of performances. At the same times all those plugins let us to realize that about 5.000/10.000 failed access per day have been logged by our server. But, as it may be hard, a number so high of atacks could led the hacker/bot to guess the password in few days/weeks.
So, the friends I mentioned at the beginning of this story, asked me for a solution. And this is the one I found: “You have to secure your wp-login.php through .htaccess rule against users that does not hold specific information“. Let’s start with technicism!
Securing your wp-login throug .htaccess
This is simple. You have to create a rewrite rule that check for a specific cookie and redirect the request to a static erro 403 (forbidden) page:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_COOKIE} !^.*secure\-dlm\-cookie=12345.*$ [NC]
RewriteRule wp-login.php 403.html [NC,L,R=403]
</IfModule>
Human description of what the above bunch of rules do: it check for a “secure-dlm-cookie” with the exact value of “12345” and if it’s not setted for the current browsing session then it will redirect the user to the page 403.html whenever a wp-login.php request will be performed.
Create the secure token
Now we have secured the wp-login.php page, so anyone is able to access to our admin area. Anyone, not even us!
We can work in 2 ways: the first is more nerd-security-addicted, the second is almoste safe.
The first nerd-security-addicted solution is to create by hand the cookie in your browser via console giving to the cookie the exact name and value you’re expecting in the .htaccess file.
The second is to create a php file into the root of your WordPress installation named as you want (for example, get-the-security-cookie.php) and put in it the following code:
<?php
setcookie("secure-dlm-cookie", 12345);
header('HTTP/1.1 404 Not Found');
?>
Human description of what the above 2 rows of PHP code do: create the cookie secure-dlm-cookie (as the one expected in the htaccess), feel free (and I sincerely suggest you) to change it’s name, then output a 404 http error. In this way apparently there is nothing to do on this page an the most of crawlers would not remember this page (I hope!!!).
So every time you need to enter to your wordpress admin area, you must make a request to the get-the-security-cookie.php before and then you’ll able to login.
Hoping the above informations will save a lot of resources on your server!
Good luck to all!