Global protection of all wp-login.php files

Here’s another short post about protecting wp-login.php files on your server from Brute Force Attacks, which can drastically increase your server load. Mine was constantly up to 90% making my server completely inaccessible.

.htaccess or not .htaccess

Adding the following code to your .htaccess files is a solution, but if you have tons of sites like me, you don’t want to manually have to upload .htaccess and .htpasswd files. Instead, you want to handle this at once, globally and server-wide. Here’s how I did it:

First of all, you need to find out if your httpd.conf file is an autogenerated file, or if you can manually edit it (without it being regenerated after an update.)

Usually, modifications go into the pre_main_global.conf include file. If this is also the case for you, make sure this is included in your active httpd.conf file.

Edit pre_main_global.conf and add the following code:

<Files ~ "^\.ht">
 Require all denied
</Files>

<Files wp-login.php>
 AuthUserFile /var/htpass/.htpasswd
 AuthName "Private access"
 AuthType Basic
 require user yourloginname
</Files>

Rename “yourloginname” to whatever login name you like.

Create the directory to store your .htpasswd file as follows:

mkdir /var/htpass/

You can generate a .htpasswd file here: http://www.htaccesstools.com/htpasswd-generator/, make sure to use the same login name as chosen before. Any password you want will do, also an empty password if that’s what you want.

Finally, save your .htpasswd file in the previously created directory, in this example we suggested /var/htpass/.

Assuming the pre_main_global.conf gets included as it should, the only thing left is to restart Apache. Use the following command to do so:

service httpd restart

Alternatively, you can restart Apache from DirectAdmin or WHM.Voila, you are now asked for a User Name and Password each time you access your wp-login.php file to login into WordPress.

Voila, you are now asked for a User Name and Password each time you access your wp-login.php file to login into WordPress.

Installing Fail2ban on CentOS

Here’s a short tutorial for those of you looking to install Fail2ban on an existing CentOS server or VPS.

First of all, you will have to determine which CentOS version you have, with the following command after starting a SSH session using a terminal window:

cat /etc/centos-release

The response will probably be something like this:

CentOS release 6.8 (Final)

Now that we know the CentOS version is 6, we will have to get the latest EPEL yum repository, using the following command:

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm

Next step is to install Fail2ban with the following command:

yum install fail2ban

When prompted Is this ok [y/N]: please type y and then hit enter.

This may take a few minutes, so sit back and relax waiting for the installation to finish.

The reasons you might want to protect your server or VPS using Fail2ban is because you are experiencing too many false logins attempts for WordPress, Proftpd, Exim2 or sshd4/sshd5 for example. To do so you will have to create the following local configuration file, using an editor such as nano:

nano /etc/fail2ban/jail.local

(Don’t have Nano? You can install Nano with the following command: yum install nano.)

Here is how to set-up a sshd jail to catch failed login attempts to SSH:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
findtime = 3600
bantime = 86400

Here is how to set-up an exim jail to catch failed login attempts to Exim:

[exim]
enabled = true
port = smtp,465,submission
filter = exim
logpath = /var/log/exim/mainlog
maxretry = 3
findtime = 86400
bantime = 31536000

Now that we have created these jails, and saved our configuration file (ctrl+x) we have to restart our server or VPS with the following command:

service fail2ban start

If everything went as expected you should get the following response:

Starting fail2ban: [ OK ]

Using Fail2ban to block login attempts to WordPress

If additionally you also would like to protect your server or VPS from failed login attempts to WordPress, you should first create a filter.

Your filters are located here: /etc/fail2ban/filter.d/

Create a new filter named wordpress.conf using Nano as follows: nano /etc/fail2ban/filter.d/wordpress.conf

Copy and paste the following code into the newly created wordpress.conf filter file:

# Fail2Ban filter for wordpress
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = wordpress

failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
            ^%(__prefix_line)sPingback error .* generated from <HOST>$

ignoreregex =

# Author: John Doe

Now that you have created the wordpress.conf filter, you will need to add a new rule to your jail.local file which you have previously created:

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/secure
maxretry = 3
findtime = 86400
bantime = 31536000
action = iptables-multiport[name=wordpress,port="80,443"]

Finally, you will have to restart Fail2ban using the following command: service fail2ban restart

If everything went well, this is what the response should look like:

Stopping fail2ban: [ OK ]
Starting fail2ban: [ OK ]

Congratulations, your server of VPS is now protected against scum trying to make your life misserable!