Sysadmin: How to protect WordPress against “POST /wp-login.php” attacks

Wordpress attackDuring last few weeks I’ve witnessed repeated semi-successful attacks against WordPress sites. This attack is easy to recognize – server response is extremely slow and if you take a look at apache ‘server-status’ page you will see multiple ‘POST /wp-login.php’ requests from different IPs.

The Source IPs are varied which suggests that some botnets are involved. It’s very easy to identify the attack by the web server error log because regardless of the source IP all requests have the identical User Agent. Here is the typical log entries from the attack:

Since I have not seen the success of these attacks other then denial of service for the whole server – CPU load goes through the roof, RAM gets exhausted then swap and server becomes unresponsive.

How to avoid it? Relatively easy – you need to add some rewrite rules to the main site .htaccess file.

I specifically added %{USER_AGENT} matching rule because some time ago attackers started providing proper %{HTTP_REFERER} field in their requests.
Don’t forget to replace “domain.com” with the name of your domain.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">