.htaccess Blocking
 

I’m inundated with emails of failed login attempts for one site. The site is not developed other than a Wordpress install. Two thousand emails in a week.

I’m about to change login.php to nologin or something similar. I’ll redirect 404 somewhere else, not sure where.

My question is blocking the address at the server level. All are from *.*.secureserver.net. Considering about forty unique IPs so far have tried, I’d say they’re UNsecureserver.

Rather than each IP, isn’t a block of *.*.secureserver.net better? IPs are all over the place from 43.*.*.* to 248.*.*.*. Attempts from all over the worl, from Turkey to Russia to Ecuador. I asked my host to do the domain ban and they are doing IP. I know blocking all users from there is rash but until I launch the site, there’s no reason to leave the door open.

Other hosts with unsecured boxes run from dreamhost, bluehost, anazonaws, Europe hosts and one host with private servers like Michael-Wilson.dreamhost.com

The sheer amount in 2018 shocks me. I thought hosts knew how to secure boxes by now. The logs must be huge yet no one notices a spike in traffic?

as you mentioned wp I'm assuming you're using wordfence? wp is a popular system so there are lots of people out there trying to hack that cms. If you are using wordfence turn off the 'failed login' option for email alerts

as to the blocking question in your post, if you're using wf you would use the wildcard option to block.

so *secureserver.net or *secureserver

beyond that, for real don't sweat hack attempts. with a decent VPN you can handle the stuff you don't block, so go make money instead of stressing over stats

I am thinking that you are probably interpreting something improperly.

secureserver.net is godaddy's mail server for it's customers. You should not be seeing anything hitting your site from there.

But I don't know where you are seeing it so I can't help you any further plus I think you have me blocked so you probably won't even see this.

.

Automated brute force attacks are nothing new, why do they bother you? Put the site behind Cloudflare, add some extra layer of security to your WP install and if you're using the host in your sig, that cardboard cutout toy host then go somewhere better that may have some control over their servers.

1. Run up to date software on your host.
2. Use strong passwords.
3. Explore adding extra security to your CMS/Script installation.
4. Use Cloudflare, it will make your site faster and help secure it.
5. Don't use dubious pretend hosts (often their clients are better targets for automated attacks).

Probably a good time to learn about how the Internet works while you're at it.

people are trying to login to your wordpress to hack it.

here are steps you can take

1) rename login.php to any other non existent page
2) block access to login.php page. chmod 0 login.php or any other way in htacess.
3) add captcha for login page.

i would go with add captcha .

I've a htpassword set for the wp-admin folder.. seems to do the trick since 2008 :)

Loginizer is also helpful. Light weight but performs like wordfence.

Block all the countries/IP ranges, whose traffic is useless. China. Russia. All of Africa. Brazil. Most of Asia. That's where I've seen where most of the bots come from. All that traffic is totally useless and they are fishing for files to exploite.

Any of these two will work fine:

1. Add reCAPTHA to the login
https://wordpress.org/plugins/login-recaptcha/

2. Make Wordpress.com account, install JetPack, enable JetPack access, disable login with user/password...

I mentioned renaming the login page. Captcha is a great idea, thanks. I didn’t see several posts but they probably list what others said.

GoDaddy really needs to learn how to secure their accounts. Bluehost and dreamhost do as well.

The bots use mostly foreign IPs and China hasn’t been used yet. A lot of private server accounts and a lot of numeric hosts. Hate to block a whole class of IP as often it blocks too much.

Eventually I’ll make a list of open accounts. I’d estimate I’ve seen more than a thousand accounts that are compromised.

My first experience with this was 1994. My host called to say they’d shut off my paysite due to extreme traffic. DOS wasn’t popular then but bots trying to hack were. My host was small so a surge would cause other customers to lag. Solution was to pull me down. I changed hosts fast. They taught me about .htaccess
and how blocking worked. One guy wrote me a script that redirects the bad login to Netscape and wrote to .htaccess. I wish I had that script again.

These bots are trying to hack but the site isn’t built. A trojan could be left on the box and that was a huge deal in the 90’s. Every visitor was allowed to say YES to the pop up and install “free pictures” but it was a trojan that logged keyboard clicks or deleted most of Windows.

Ah, the good old days. Creative minds wasted on viruses. I researched and talked to packet kiddies to learn. I didn’t want to cause issues, just wanted to learn how and why. I’m always curious about how they get access. 2018 and it still goes on.

The majority are USA connections. I’m always leery of blocking too many IPs or countries as it can lag the server at times. Checking each IP as they land with fifty bots landing at once can drag down too much. At least it was that way ten years ago before I left.

They’re fishing but for Wordpress I use as few plugins as possible. The newer ones i ignore for a while but even tried and tested old ones can be compromised. I only have a basic install and will change the login page right now.