php - Which ways can be used to log in to Wordpress?

admin管理员组

文章数量:1305284

FYI: This has been also posted here since I'm fairly new to this website and didn't know that the Wordpress part existed. Sorry for the repost.

I'm currently trying to tighten the security for a website which is running on wordpress (seperate installation, not on wordpress / ). I have installed Wordfence which blocks all IPs which try to use a invalid user name instantly which works quite well (some 200+ blocked IPs / day).

Since our ISP is giving out hostnames like

www-xxx-yyy-zzz.my.isp.tld

and there are no users which need log in besides me I thought I would add some way to further prevent brute-force attacks.

The WP Codex has a section about preventing access to wp-login.php for anyone who's not submitting it the form. In my eyes this should get rid of any scripts which try to brute force their way in like:

www.mydomain.tld/wp-admin.php?log=admin&pwd=alex

Now for anyone submitting the form this wouldn't work, so I added a part to the top of wp-login.php which would check for the host name and then re-direct if it doesn't match our ISP:

<?PHP
if (strpos(gethostbyaddr($_SERVER['REMOTE_ADDR']),'my.isp.tld') == false) {
    header('Location: /');
}
?>

I checked it and this piece is working fine as well, when I try to access wp-login.php over my mobile it throws me back to Google, additionally I get an e-mail when somebody tries this. So far it's only been 3-4 login attempts I prevented using this method.

Now from my perspective I've taken care of all things, but Wordfence will still send me notifications about blocked log-in attempts.

To see if it helps, I've added the following to the .htaccess file which is in the main Wordpress folder, which, to my understanding, should deny all access except when coming from my ISP:

<Files "wp-login.php">
    order deny,allow
    allow from my.isp.tld
</Files>

Still the e-mails come flying in. Now the question is:

Is there any other way to call wp-login.php in order to try to login which I haven't tought of? It seems that there are still ways which can be used which are not part of the scenarios mentioned above.

As commented in the other question: The IPs with the failed attempts are not spoofed to fit mine.

Any ideas, comments etc. are greatly appreciated.

So long

FYI: This has been also posted here since I'm fairly new to this website and didn't know that the Wordpress part existed. Sorry for the repost.

I'm currently trying to tighten the security for a website which is running on wordpress (seperate installation, not on wordpress / ). I have installed Wordfence which blocks all IPs which try to use a invalid user name instantly which works quite well (some 200+ blocked IPs / day).

Since our ISP is giving out hostnames like

www-xxx-yyy-zzz.my.isp.tld

and there are no users which need log in besides me I thought I would add some way to further prevent brute-force attacks.

The WP Codex has a section about preventing access to wp-login.php for anyone who's not submitting it the form. In my eyes this should get rid of any scripts which try to brute force their way in like:

www.mydomain.tld/wp-admin.php?log=admin&pwd=alex

Now for anyone submitting the form this wouldn't work, so I added a part to the top of wp-login.php which would check for the host name and then re-direct if it doesn't match our ISP:

<?PHP
if (strpos(gethostbyaddr($_SERVER['REMOTE_ADDR']),'my.isp.tld') == false) {
    header('Location: http://www.google/');
}
?>

I checked it and this piece is working fine as well, when I try to access wp-login.php over my mobile it throws me back to Google, additionally I get an e-mail when somebody tries this. So far it's only been 3-4 login attempts I prevented using this method.

Now from my perspective I've taken care of all things, but Wordfence will still send me notifications about blocked log-in attempts.

To see if it helps, I've added the following to the .htaccess file which is in the main Wordpress folder, which, to my understanding, should deny all access except when coming from my ISP:

<Files "wp-login.php">
    order deny,allow
    allow from my.isp.tld
</Files>

Still the e-mails come flying in. Now the question is:

Is there any other way to call wp-login.php in order to try to login which I haven't tought of? It seems that there are still ways which can be used which are not part of the scenarios mentioned above.

As commented in the other question: The IPs with the failed attempts are not spoofed to fit mine.

Any ideas, comments etc. are greatly appreciated.

So long

• php
• login
• htaccess
• security

Share Improve this question edited Jan 30, 2021 at 14:59 Celso Bessa 1,12888 silver badges1818 bronze badges asked Oct 18, 2015 at 20:49 MDschayMDschay 12155 bronze badges 2

• This question here was asked recently and might be related. – birgire Commented Oct 19, 2015 at 8:18
• Hi @birgire, thanks for this. I will definately try this solution. – MDschay Commented Oct 19, 2015 at 8:59

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 1

wrote something long and decided to delete because the Tl;Dr is use a good password and stop pretending to have a knowledge in how to secure sites, you are more likely to bring down the performance of the site (your reverse DNS code) or lock yourself out then actually preventing an attack.

Security is about context, and in the context of wordpress brute force attack is probably the least of your worries, it would not have prevented you to be hacked via http://wptavern/wordpress-security-alert-new-zero-day-vulnerability-discovered-in-timthumb-script

or http://wptavern/critical-security-vulnerability-found-in-wordpress-slider-revolution-plugin-immediate-update-advised

or https://blog.sucuri/2015/10/security-advisory-stored-xss-in-jetpack.html

And before even getting to plugins maybe I should have asked is your hosting secure? (can't find the link and don't remember which big hosting company was hacked)

The answer to my question about other login possibilities was given in the question posted by birgire.

It turns out that after disabling any remote access to xmlrpc.php the attacks went down to zero.

However this might have serious consequences on your website since it's used by e.g. jetpack amongst others and I therefor not recommend it.

As mentioned by Mark Kaplun there are probably other, more serious attacks out there and from analyzing my logs these brute force attacks I've encountered are very basic and wouldn't stand a chance when you did the following:

• Change the admin user name to anything else than "admin"
• Use proper passwords

本文标签： phpWhich ways can be used to log in to Wordpress