Do you find yourself facing endless bot hits on wp-login.php? How about the recent wave of Russian brute force attacks to find login names and then passwords? Wake up and find 1000’s of hits on wp-login? Well I have a definitive solution that just might work for you to get rid of those unwanted brute force attempts to find user names and the horrid traffic created by these idiots.
First make sure you have some protection from spammers and attacks using the Stop Spammers plugin. Can’t tell you how much that has saved me and my site from hours of headaches.
So, I woke up Monday morning to find one of my sites was getting a lot of traffic. On most occasions it is time to celebrate, but not this time. I went through the logs and find that each hit comes from a different IP in Russia. You can’t really blame the Russians because anyone can spoof an IP or set up a bunch of dump computer users as stooges to pass these along.
At first I spent some hours creating a .htaccess that would ban all computers from Russia. I had no legitimate traffic that would come from Russia anyway so why not? Well, once I got Russia and the Ukraine banned out the .htaccess deny statements took up 455KB. Almost half a meg and I was using CDIR to ban whole IP ranges.
This worked as instead of hits on the site I could see the site error log and watch them being denied. But the wave kept coming. At least a couple hundred an hour. So the deny was not stopping them, it was merely stopping them from hitting my WordPress site.
Well, I figured, HEY! What the heck, why not just change calls to the wp-login.php with a 302 redirect sending them somewhere. Now that is a great idea, except where? Usually I send spurious logins to Disney.com but that is not something that would worry some guy, or guys, who were trying to hack a site like this.
Well, how about sending them to the guys they would least like to meet?
A 302 (temporary) redirect to the NSA!
“redirect 302 /wp-login.php http://www.nsa.gov”
Place this just before the wp rewrites. Off they go
Since I know this guy has some process running that has his hack farm attempting logins from a lot of computers he has infected I knew this was not going to just happen in a few minutes. But I tell you, 36 hours later and now I do not have one error or attempt at wp-login.php.
Then I had an even better idea for the non-wordpress sites I administer. A fake wp-login.php that is merely a redirect to the NSA! That works now too!
Just put this meta in an empty file called wp-login.php
<META HTTP-EQUIV=”REFRESH” CONTENT=”1; URL=http://www.nsa.gov/”>
Then watch, in a couple days, no more hits.
With all the spying the NSA does it makes sense to bring the hackers to them, show them the network of systems they have at their disposal, show them all the IP numbers and robots working for them and let them take care of it. For the hackers it sure shuts down their efforts as soon as they see where their hits are actually going.
I don’t know what the NSA thinks but I figure I am doing them a favor by letting them have log files filled with the trails from hackers. A win-win for everyone.