Last week a large scale, brute-force attack started targeting the default WordPress login pages of sites around the world. A brute-force attack is when an automated program or script, sometimes called a bot, tries to guess your password by repeatedly attempting to log in with different passwords until it finds the right one.
This attack was effecting the performance and response time of many servers, causing them to be slow down, sometimes to the point when they could not serve any pages at all. We help someone with such an attack and found that the best way to stop the attack was to simply rename the wp-login.php page and replace it with a blank/empty page that the bots could hit all day without effecting your server’s performance. You would also need to change all the code in the wp-login.php file that refers to the old filename so that it refers to the new filename. This can be a bit tricky so we have created a little scrip for your server that makes this change for you.
#!/bin/bash logins=`find /home/ -type f -name wp-login.php` for login in $logins;do if [ ! -f $login.new.php ];then sed "s/wp-login\.php/wp-login.php.new.php/g"Â $login>$login.new.php user=${login:6} ulen=`expr index "$user" /`-1 chown ${user:0:$ulen}:${user:0:$ulen} $login.new.php echo $login echo moved $login to $login.new.php fi done
The best way to implement this code is to put it into a script file in your home directory and add the script file to your crontab to be run every hour, that way it will patch any new WordPress installations you add too. After the script executes you will not get a login page at wp-login.php any more, you will have to go to wp-login.php.new.php in your browser to login.
Hope this is helpful to people still getting hit by brute force attacks. Let us know how it works for you if you try it.