Wordpress brute force protection | server load

Lately hackers have been trying to guess their way in by dictionary attack. They have no hope of getting in because wordfence blocks their IP (and we dont use admin)  but it doesnt stop them from forcing the sql database to say no 1K times a minute. This puts an incredible load on the sql server.

The logins come from hundreds of ip's so we cant just block them.

We are trying to implement http auth to force a login box that requires a password before you can access the wp-login.php file. Apache can say no 1K times a minute without breaking a sweat.

The problem is when we do this we get a 404 error. It has something to do with the mod_rewite that wordpress uses to translate index.html to index.php.

This is what we are using that doesnt work:

# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

# Start DDOS Security
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.edgewaterdev.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

# Protect wp-login
<Files wp-login.php>
AuthUserFile /home/ewater/security/.htpasswd
AuthName "Access Is?"
AuthType Basic
require user wpaccesO0
</Files>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Why doesnt this work? Any help would be appreciated.
kassant7Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Uwe DegenhardtIT-ManagerCommented:
Hi Kassant7, enclosed you can find our .htaccess and .htpasswd-files.
It works perfectly well. We had the same problems
on WP recently:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

<Files wp-login.php>
AuthUserFile /var/www/clients/client25/somesite.com/web/.htpasswd
AuthName "Private access"
AuthType Basic
require user someone
</Files>

And here ist the .htpasswd:

someone:$apr1$cgUOc8vC$S0GFcoEbawj/oboIEbJx81
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Maybe worth considering having a CAPTCHA (e.g. reCAPTCHA) together with login page to drop off the automated bot machine too even attempting auth..also reference these (change the HTTP_REFERER accordingly since example is using different one)
# Block outside domain names from using the POST method
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login).php*
    RewriteCond %{HTTP_REFERER} !.*himpfen.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>
http://travel.himpfen.com/hardening-wordpress-htaccess/
#Adding this to your .htaccess will prevent hotlinking from happening:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

#Protect the .htaccess Itself
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
http://thematosoup.com/wordpress-security-htaccess/
may want to consider optionally this though not login specific
#Forbid Proxy comment posting
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]
http://wpsecure.net/secure-wordpress-advanced/

Just find that as long as we allow even to access login page, a connection is already established and they can easily also DDoS using bot machines without attempting to brute force to fatigue your server memory resource - it is more than just the normal SYN flood but can be type of Slowloris, Slow HTTP POST DoS having HTTP connection to be established and not duly tear down ... they can also intentionally force user account lockout...

Ideally a CDN like Cloudflare or appl delivery controller can act as fronting or reverse proxy separately beyond the Web server. The Web appl FW is definitely worth considering - including Modsecurity (even if it is using a plugin for Apache server) that go beyond to deep dive into rules that inspect HTTP literals etc.
0
kassant7Author Commented:
@ degenhardt | Yours looks the same as mine. Besides the order, what is the difference?
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

kassant7Author Commented:
We added this section yesterday which brings up the httpauth login, but we get a 500 error after we enter the password.

# HTTPAuth compatability
ErrorDocument 401 ./error.html
ErrorDocument 403 ./error.html
0
Uwe DegenhardtIT-ManagerCommented:
Hi kassant7, just a quick question. Is .htaccess/.htpasswd working on a basic level ?
Did you try to strip down your files to the minimum ?
Is Apache's mod_rewrite running ?
Uwe
0
kassant7Author Commented:
It works if we try to protect a single folder.
0
kassant7Author Commented:
I turned on cloudflare for the sites that was having issues and it didn't seem to make a difference.
0
Uwe DegenhardtIT-ManagerCommented:
This is weird. Any hints in the apache-logfiles ? Did you try it on another server (or did you mean this by saying you tried cloudflare ?)
0
kassant7Author Commented:
Which part is weird? The part that we can protect a single folder, or that cloudfare didn't make a difference?

We tried the same .htaccess setup on another server with the same results. Something doesnt like the code we're using.

The server logs show repeated attempted logins to wp-login.php. Wordfence is blocking their access to the site, but not the access to the file forcing sql to say no hundreds of times.

Would be an easy fix if it were from a single IP, but i cant blacklist them all fast enough. So i am trying to but a buffer between the attacker and wp-login.php file by using httpauth.

The cloudflare activation was just a hail mary. It is mainly caching so if you force your "attack bot" not to cache you hit the server directly. That is only a guess though. I thought it would help as well.

This piece of code helped a little:

# Start DDOS Security
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.allpro.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

It reduced the CPU load by 20% or so.
0
btanExec ConsultantCommented:
wondering if cloudflare will have touched the http header
0
Uwe DegenhardtIT-ManagerCommented:
Weird that it doesn't work with almost the same coding you try in comparison with my code.
If you try exactly the same .htaccess/.htpasswd I gave you ? What happens then ?
0
kassant7Author Commented:
@ degenhardt | What is the unencrypted password? I want to try things exactly like you have them.
0
kassant7Author Commented:
I think we figured it out. Permissions on the folder the htpasswd is in. It was 750, has to be 755 (public execute)
0
Uwe DegenhardtIT-ManagerCommented:
ok. Good to hear. ;-)
0
kassant7Author Commented:
Solution helps us get to where we needed to be. Thanks!
0
Uwe DegenhardtIT-ManagerCommented:
Thank you too ! :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
WordPress

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.