Last several months I was facing to many brute force attacks to significant amounts of Worpdress sites I am hosting on my servers. These attacks were targeting mostly to wp-login.php (very bad – trying to brute force your password) and wp-comments.php (trying to post spam to the comments).

When the attack started I was always notified by my monitoring service (Nagios) since the attackers didn’t care about the server health and were trying to post as much requests as possible.

This little piece of code in my .httaccess solved my problem easily (change example.com to your site domain):

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]
</ifModule>

When someone (attacker) is trying to POST request to the wp-login.php (wp-comment.php) without first filling in the login (or comment) form the standard way, he will be redirected to the form without proceeding the POST request. Simple but effective. It will not harm standard users but it will not allow automatic scripts to proceed their malicious requests. This should be packed with the WordPress installation.

Leave a Reply