Ok, so here’s a quicky.

Like anyone who runs a wordpress site, I get numerous attempts from script kiddies attempting to guess the login. The vast majority of these are handled by fail2ban, but I’ve noticed an increase in the distributed kind of attack – multiple attempts to log in, but all from different IPs.

These fell below the ban threshold, so were getting through. Since strength in depth is good, and I wanted quiet logs, I thought I’d do something about this.

On inspection, it looked like the scripts aren’t terribly smart, in that they just make a POST to wp-login.php without first loading the login form, meaning they attempted to POST without setting a referrer. So, I wrote a rewrite rule that will block POST attempts to wp-login.php that have no referrer set.

This is by no means foolproof, the referrer can be easily faked, but it raises the bar slightly for them.

Blocking the scripts

Place the following in your .htaccess file, or http.conf for your wordpress site:

RewriteEngine On

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} /wp-login\.php
RewriteCond %{HTTP_REFERER} ^$
RewriteRule .* - [F,L]

What this does is block all POST requests to wp-login.php that have an empty referrer, returning a 403 error when this occurs.

It’s very simple, and easy to work around, but seems to block most script kiddies.

Testing

To test, use curl; the following should fail:

curl -d 'test' https://example.com/wp-login.php

But this will return some content:

curl -d 'test' --referer foo.bar https://example.com/wp-login.php