We herhalen het nog maar eens!
The bruteforce attacks against WordPress and Joomla login pages - as written here already: https://www.helpburo.eu/index.php?/News/NewsItem/View/67/massale-brute-force-pogingen-op-wordpress-sites - are getting worse all over the internet, not only on your server.
Even worse are the WordPress xmlrpc pingback attacks which are well known since years - see here a description and also a solution to this problem: http://perishablepress.com/wordpress-xmlrpc-pingback-vulnerability/ The problem is, that the attacks are coming from thousands of IPs in parallel, which even overloads those plug-ins. There exists currently only one solution: 1) Joomla installations Use Plesk or DirectAdmin frontend to password-protect the directory /administrator of the Joomla installation 2) WordPress installations For WordPress, we must password-protect the access to the file wp-login.php, as this one is opened directly by the attackers. This must be done manually: a) create a .htpasswd file, either manually on the server or with an online tool like http://www.htaccesstools.com/htpasswd-generator/ b) place the .htpasswd file in the base directory of your WordPress installation c) create in the base directory of your WordPress installation a .htaccess file with the following lines - if already a .htaccess file exists, add those lines to the absolute top of the file: # Stop Apache from serving .ht* files <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> # Protect wp-login <Files wp-login.php> AuthUserFile /YYYYY/.htpasswd AuthName "Private access" AuthType Basic require user XXXXX </Files> - replace the XXXXX with the username you used in the .htpasswd file. - replace /YYYYY with the full path to your hosting directory, eg: /var/www/vhosts/testdomain.nl/httpdocs/.htpasswd (Plesk style) /home/user/domains/testdomain.nl/public_html/.htpasswd (DirectAdmin style) For server owners:
THIS MUST BE DONE FOR ALL WORDPRESS OR JOOMLA INSTALLATIONS ON THE SERVER!
|