Author Topic: Preventing Access to wp-login and xmlrpc.php  (Read 2173 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Preventing Access to wp-login and xmlrpc.php
« on: February 05, 2024, 02:43:48 AM »
I was receiving numerous alerts each day regarding attempts to break into my WP sites.  At first, I renamed the wp-login.php file to something else, however I would still receive the alerts with 301 or 302 errors, since hackers or bots try to access the usual file.  I decided to do something more.  I re-created the wp-login.php file, however the file now contains this script:

<?php
$ipaddress = getenv("REMOTE_ADDR") ;
$username =  get_current_user() ;
$comment = $username . " wp-login" ;
shell_exec("sudo /usr/sbin/csf -d $ipaddress $comment" );
header("Location: https://www.youtube.com/watch?v=BBJa32lCaaY/");
?>

The script gets the calling IP address, site owner, and file name, and then executes the CSF Deny function.  The username and file name are included as a comment, so I can know which site and file were accessed.  Then, the page sends them off to be Rick Rolled.  This way, they never have a chance to try logging in, and the IP address is immediately blocked, preventing them from trying again.  However, for this to work, the site owner username must be in the Wheel group with NOPASSWORD enabled.  I still continue getting numerous break-in attempts each day, but the page never needs to load.  Instead, it goes straight to Youtube.

In addition, as I understand, the xmlrpc.php file is no longer necessary, but is vulnerable to hacking exploits.  Therefore, I put the same script in that file too, and have it set to add that file name in the DENY comments.

So far, this method is working very well, and I no longer need to be concerned with people trying to log in or access that xmlrpc file.

Offline
*****
Re: Preventing Access to wp-login and xmlrpc.php
« Reply #1 on: February 05, 2024, 03:35:15 AM »
iThemes Security and WordFence should already take care of these scenarios (as CMS-specific WAF & security tuners). I'm not sure if this is a better approach, as it feeds the main CSF firewall (so not sure about the relative performance). And hopefully your security design proves out -- where the other dedicated offerings are clearly battle-tested. (Rick Rolling is kinda cute though...)

Offline
*
Re: Preventing Access to wp-login and xmlrpc.php
« Reply #2 on: February 05, 2024, 04:33:30 AM »
Thank you for the feedback.  I actually installed WordFence a couple of days ago, and am working on learning about it, and configuring it.  Therefore, I did not know that it can already manage these issues.  However, I have always liked (Rick) rolling my own solutions, when possible.  I learn a lot that way, too.  Thanks again.

Offline
*
Re: Preventing Access to wp-login and xmlrpc.php
« Reply #3 on: February 05, 2024, 12:06:54 PM »
i would delete the wp-contents folder from a new file downloaded from wordpress.org

then uploaded ALL files and folders that are left and overwrite the folders and files, then you would have clean wp install.

then you can scan the wp-content folder

Offline
**
Re: Preventing Access to wp-login and xmlrpc.php
« Reply #4 on: February 05, 2024, 06:05:58 PM »
if you already use wordfence you can install wordfence login security, this is an extension to wordfence and there is a checkbox:

Disable XML-RPC authentication

this is exactly what you want