How to prevent brute force attacks on your WordPress wp-login.php and wp-comment.php

Last several months I was facing to many brute force attacks to significant amounts of Worpdress sites I am hosting on my servers. These attacks were targeting mostly to wp-login.php (very bad – trying to brute force your password) and wp-comments.php (trying to post spam to the comments).

When the attack started I was always notified by my monitoring service (Nagios) since the attackers didn’t care about the server health and were trying to post as much requests as possible.

This little piece of code in my .httaccess solved my problem easily (change to your site domain):

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]

When someone (attacker) is trying to POST request to the wp-login.php (wp-comment.php) without first filling in the login (or comment) form the standard way, he will be redirected to the form without proceeding the POST request. Simple but effective. It will not harm standard users but it will not allow automatic scripts to proceed their malicious requests. This should be packed with the WordPress installation.

Magento: Special prices not refreshed and still showing

It happened to me and my clients several times. We configured special price for particular products and filled in date of start and expiration when this special price should apply. But then we often found the special prices to be visible even after the expiration date has passed.

First I thought it would be connected with a misconfigured Magento cronjob. But everything was clear in this area. At the end the problem was always solved by reindexing Product prices index. This seems to be bug in Magento itself (I run 1.8.x and 1.9.x and both are experiencing the same problem).

Fortunately the fix is pretty simple.

Read more