RSS feed
Nieuws
Aug
7
Massale brute force pogingen op Wordpress sites.......
Geplaatst door Mike-Support Helpburo.eu aan 07-08-2013 16:44

Massale brute force pogingen op Wordpress sites.......


Massale brute force pogingen op Wordpress sites. Via geautomatiseerde tools proberen kwaadwilligen de Wordpress logins te bemachtigen door ontelbare combinaties te proberen.

Op sommige websites werd vanuit honderden IP's tegelijkertijd pogingen ondernomen om de gegevens te bemachtigen, helaas worden de requests wegens de distributie aard van de aanval niet gedetecteerd door mod_evasive.

Als bij effect worden database en webservers overbelast door deze ontelbare login pogingen.
 

LEES DIT EERST: 
http://codex.wordpress.org/Brute_Force_Attacks

Hoe kan u uw Wordpress website wapenen tegen deze aanvallen en een aantal oplossingen:


Installeer één van deze modules: (nadeel is dat deze ook de database blijven (over)belasten!)

http://Wordpress.org/plugins/bruteprotect/

http://wordpress.org/extend/plugins/limit-login-attempts/

http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

of

eenvoudiger en effectief de volgende oplossing:

protect access to wp-login.php with a password:

==============================================================================

Password Protect wp-login.php
Password protecting your wp-login.php file (and wp-admin folder) can add an extra layer
to your server. Because password protecting wp-admin can break any plugin that uses ajax
on the front end, it's usually sufficient to just protect wp-login.

To do this, you will need to create a .htpasswds file. Many hosts have tools to do this
for you, but if you have to do it manually, you can use this htpasswd generator. Much like
your .htaccess file (which is a file that is only an extension), .htpasswd will also have no prefix.

You can either put this file outside of your public web folder (i.e. not in /public_html/
or /domain.com/, depending on your host), or you can put it in the same folder, but you'll
want to do some extra security work in your .htaccess file if you do.

Speaking of, once you've uploaded the .htpasswd file, you need to tell .htaccess where it's
at. Assuming you've put .htpasswd in your user's home directory and your htpasswd username
is mysecretuser, then you put this in your .htaccess:

# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

# Protect wp-login
<Files wp-login.php>
AuthUserFile /YYYYY/.htpasswd
AuthName "Private access"
AuthType Basic
require user XXXXX
</Files>



- replace the XXXXX with the username you used in the .htpasswd file.
- replace /YYYYY with the full path to your hosting directory, eg:
  /var/www/vhosts/testdomain.nl/httpdocs/.htpasswd   (Plesk style)
  /home/user/domains/testdomain.nl/public_html/.htpasswd  (DirectAdmin style)



Reacties (0)
Help Desk Software