I would like to see some basic protection against brute force attacks on the wp-login.php and xmlrpc.php. At the moment, you will need to add plugins and/or disable access to xmlrpc.php using plugins. I hope to see ClassicPress with a basic protection like a captcha on the login page.
Read-only archive: https://petitions.classicpress.net/posts/37/add-some-basic-brute-force-protection-please
Author: Rudy Brinkman
Vote count: 48
Status: open
Tags:
Comments
For Apache servers, it only takes a few lines in .htaccess to do what youâre asking. Iâm sure nginx has counterpart directives if youâre on that server. These directives kick in before ClassicPress is loaded.
# A message for those denied access.
ErrorDocument 401 "Denied"
# To password-protect the login/admin.
<Files wp-login.php>
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/path/to/your/.htpasswd"
require valid-user
</Files>
# To prevent access to xmlrpc.php.
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
One and done. If you donât get past the serverâs user/pass prompt, ClassicPress isnât even loaded. If you do pass the prompt, then you get the normal login page where you can then login as usual. This isnât a guess; I use this very technique on my own site. And hereâs how it looksâŚ
https://codepotent.com/wp-admin/
https://codepotent.com/wp-login.php
https://codepoent.com/xmlrpc.php
I agree with @Code_Potentâs approach. Iâm a great believer in implementing as many server-side security measures as is reasonably practicable, thus preventing access to CP completely when necessary. The only caveat is that access to the file system is required, although this is not usually a problem for files such as .htaccess and .htpasswd.
And while plugins such as Wordfence and Shield offer useful extra protection and peace of mind, they should be considered a last line of defence imho.