Problem with htaccess and file access

Here is my problem, i added next code to my htaccess file how i can limit access to wp-login.php file (wordpress):

ErrorDocument 401 default

# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Order allow,deny
Deny from all

# Protect wp-login
<Files wp-login.php>
AuthUserFile /home/XXXXXXXXXXX/public_html/.**********
AuthName "Private access"
AuthType Basic
require user YYYYYYY

Now when i try to access login page i have classic pop up window asking me for username and password and without correct info the login page will not load. Frankly however i try to login regardless of what url i'm using (or links) i will always be prompted with popup window asking for login. Still my log file show decent amount of failed login attempts on wordpress. Its happening on two wordpress sites each hosted on separate virtual server. To exclude wordpress both sites have only 4 inactive plugins and two different themes (premium, payed) all updated and no content of any kind. Actually its fresh install.

Now i want to know how is possible for bots to evade htaccess and go directly to login page.

From apache conf:

Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted

and its same for both virtual server.

I feel stupid at this point to stuck with htaccess but whatever i try i could not find any solution. I cant access the login page if i dont put correct username and psw but bots can. Now i'm not sure but maybe this could help:

  • before i changed htaccess both sites had a flood of bots trying to connect

  • after the change (before 4-5 days) site1 didnt have any attempts while site2 continue to have but looks like at reduced number, not sure

  • htaccess is exactly the same for both domains excluding the part where i need to insert domain name into htaccess code

  • all settings for both virtual servers looks same and they should be

Well i'm stuck, any help would be welcome.



Diabolico's picture
Submitted by Diabolico on Thu, 09/24/2015 - 04:01

Ok i found what was the problem. That (in)competent people at actually left a open invitation for bruteforce attacks by using "xmlrpc.php" file loacted in wordpress root directory. Regardless of blocking login page looks like there is a way to exploit this file and actually bypass htaccess rules. I didnt know from WP version 3.5 they decided to leave this option activated as per default (before you needed to do manually from WP settings) and there is no simple way to turn it off. Just great.

I found out after i start digging in log files and saw a lot of direct access to this file what didnt make any sense. In case someone else come with same problem here is what i did, just add this code to htaccess what will block the access to "xmlrpc.php":

<files xmlrpc.php>
order allow,deny
deny from all

This file is used for remote posting and i'm sure that more than 95% of all WP users doesnt need this option so its safe to disable. There is other solution to insert add_filter('xmlrpc_enabled', '__return_false'); into "wp-config.php" but i would strongly suggest to use htaccess.

Please mark this as solved or closed.

Ah, that's a good find!

So it would be necessary to block both the login page, as well as the xmlrpc page.

Thanks for letting us know how you fixed it!