Software, your way.
How To Get Good Custom Software
(Download)
(PDF)
burger menu icon
WillMaster

WillMaster > LibrarySecurity and Blocking

FREE! Coding tips, tricks, and treasures.

Possibilities weekly ezine

Get the weekly email website developers read:

 

Your email address

name@example.com
YES! Send Possibilities every week!

Blocking WP Login Snooping Bots

If you do not have WordPress installed on your website, I'll show you an easy way to block bots looking for a WP login page.

If you do have WordPress, it would be prudent to install a plugin or something that effectively blocks robots from accessing your dashboard by trying different combinations of username and password until they get through. At least have a username other than the ubiquitous "admin" — which would make a break-in less likely.

Whether or not you have WordPress, the technique presented here may be expanded to block access to other files and to thwart other probes.

Over 10 Probes a Day for wp-login.php

A new website I helped put up last week had robots snooping for the WordPress login page the very first day. So I thought I'd check Willmaster.com to see what they might be trying there.

During the first 28 days of August, there were 297 probes for wp-login.php at the Willmaster.com server with 121 different IP addresses.

That's about 2½ probes per IP address. One tried 29 times, another 14 times, but most were in the low single digits.

A large majority of the probes (227) were for wp-login.php in the document root directory. Other probes were mostly trying /blog, /dev, /wp, and /wordpress subdirectories. Some tried other subdirectories they found at search engines or noticed intersite links to. One probed for wp-login.php in every directory disallowed in the robots.txt file.

So, yes, if you use WordPress and you haven't already done so, get some blocking protection. Else, one of these days, a bot will get through. Which could mean you are through. A search for "wp login protect" is one way to find more information.

If You Do Not Have WordPress

On the other hand, if you don't have WordPress, read on. We're going to block some bots :-)

These 4 lines in your .htaccess file will block those bots cold:

SetEnvIf Request_URI wp-login.php$ BackOffNow=1
Order allow,deny
Allow from all
Deny from env=BackOffNow

Test loading your site's index page and at least one secondary page to verify the .htaccess addition didn't break anything.

Now, test the block. Try loading a page named wp-login.php as if it actually existed on your site. You should get a 403 Forbidden error message instead of a 404 Not Found.

If You're Curious

If you don't have WordPress and you're curious about what usernames and passwords the bots are trying, temporarily hold off on the above .htaccess file insert. Instead, set up a script to record their activity.

Which is what I did at the new site I mentioned earlier. I was curious.

This is the script.

<?php
# Copyright 2015 Will Bontrager Software LLC
$LogLocation = '/wp_attempts/wp_login_attempts.txt';
$post = count($_POST) ? json_encode($_POST) : json_encode(array('No POST'));
file_put_contents( $_SERVER['DOCUMENT_ROOT'].$LogLocation, date('r')."\t{$_SERVER['REMOTE_ADDR']}\t$post\n", FILE_APPEND );
header('HTTP/1.0 403 Forbidden');
echo '<h1>403 Forbidden</h1>';
exit;
?>

The log location (colored blue in the above code) may be changed and must be writable. On some servers, that means the subdirectory needs 777 permissions.

Name the script wp-login.php and put it in the document root directory.

Test it by typing its URL into your browser's address bar. It should (i) send a 403 Forbidden response to your browser and (ii) make a log entry in this format:

Sat, 29 Aug 2015 10:32:01 -0400	73.39.209.22	["No POST"]

The log entry has a time stamp, the IP address, and ["No POST"], each separated with a tab character. (The ["No POST"] is because you accessed the script directly, not as a spoofed form submission.)

OK, you're now all set up to find out what usernames and passwords the bots try when they probe.

The script records the probe in the log and responds with a 403 Forbidden status.

When a bot's probe is just to see if the file is present (not trying to log in), the log entry will be like the entry you saw when you tested the script. But when a bot's probe includes trying to log in, which is likely to be most of the time, you'll see something like this:

Sat, 29 Aug 2015 10:33:20 -0400	73.39.209.22	{"log":"admin","pwd":"adminpassword"}

Instead of ["No POST"], the log records the login form submission spoof. The data is JSON encoded. But as you see, it's easy to read.

Done Being Curious?

When your curiosity has been satisfied and you're ready to immediately block bots that ask for wp-login.php, implement the .htaccess block presented earlier, in the "If You Do Not Have WordPress" section.

Expanding the Techniques

Whether or not you have WordPress, the technique presented here may be expanded.

The techniques presented in this article are:

  • How to log the POST request by bots probing for certain files that previously didn't exist on your server. (POST requests generally don't get their values recorded in regular server logs.)

  • How to respond to bots with a 403 Forbidden status code from within a PHP script. (Generally, but not always, bots go away after being served a 403.)

  • How to use the .htaccess file to ban access to a certain file name. (See the Apache documentation for SetEnvIf and also the documentation for Order, Allow, and Deny.)

Here's a short list of what may be built with those techniques:

  • Block access to other files and to entire directories.

  • Thwart other bot probes, especially probes looking for server vulnerabilities or access to other site management software.

  • Automatically update the .htaccess file or other central file with bot IP addresses for permanent blocking.

  • Create a list of banned IP addresses for other software to use — perhaps ...

    • Software to share the blocked IP addresses with each of your other sites and perhaps also ...

    • Software to share the blocked IP addresses with sites you have business relationships with, each site sharing their blocked IP addresses with each other, so any bots from those IP addresses that come around are banned before they can probe for anything.

  • Create software that operates when a 404 is encountered to respond depending on what's being requested.

The above ideas can be developed for any Unix or Linux server. Perhaps also for Microsoft IIS servers, but that's not my area of expertise.

Whether or not you expand on the techniques presented in this article, blocking bots looking for the WP login page is easy. Four lines in the .htaccess file does the job.

(This article first appeared in Possibilities ezine.)

Will Bontrager

Was this article helpful to you?
(anonymous form)

Support This Website

Some of our support is from people like you who see the value of all that's offered for FREE at this website.

"Yes, let me contribute."

Amount (USD):

Tap to Choose
Contribution
Method

All information in WillMaster Library articles is presented AS-IS.

We only suggest and recommend what we believe is of value. As remuneration for the time and research involved to provide quality links, we generally use affiliate links when we can. Whenever we link to something not our own, you should assume they are affiliate links or that we benefit in some way.

How Can We Help You? balloons
How Can We Help You?
bullet Custom Programming
bullet Ready-Made Software
bullet Technical Support
bullet Possibilities Newsletter
bullet Website "How-To" Info
bullet Useful Information List

© 1998-2001 William and Mari Bontrager
© 2001-2011 Bontrager Connection, LLC
© 2011-2024 Will Bontrager Software LLC