Ok, so here’s a quicky.
Like anyone who runs a wordpress site, I get numerous attempts from script kiddies attempting to guess the login. The vast majority of these are handled by fail2ban, but I’ve noticed an increase in the distributed kind of attack – multiple attempts to log in, but all from different IPs.
These fell below the ban threshold, so were getting through. Since strength in depth is good, and I wanted quiet logs, I thought I’d do something about this.
On inspection, it looked like the scripts aren’t terribly smart, in that they just make a POST to wp-login.php
without first loading the login form, meaning they attempted to POST without setting a referrer. So, I wrote a rewrite rule that will block POST attempts to wp-login.php
that have no referrer set.
This is by no means foolproof, the referrer can be easily faked, but it raises the bar slightly for them.
Blocking the scripts
Place the following in your .htaccess
file, or http.conf
for your wordpress site:
RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} /wp-login\.php RewriteCond %{HTTP_REFERER} ^$ RewriteRule .* - [F,L]
What this does is block all POST requests to wp-login.php
that have an empty referrer, returning a 403 error when this occurs.
It’s very simple, and easy to work around, but seems to block most script kiddies.
Testing
To test, use curl; the following should fail:
curl -d 'test' https://example.com/wp-login.php
But this will return some content:
curl -d 'test' --referer foo.bar https://example.com/wp-login.php