GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   brute force on wp-login.php (https://gfy.com/showthread.php?t=1110391)

mineistaken 05-23-2013 04:19 PM
brute force on wp-login.php
 
What pisses me off is that my stats (awstats etc) gets messed up by them, there is no way to have accurate stats because more hits are from bots than from actual visitors.
/rant

signupdamnit 05-23-2013 04:37 PM
http://configserver.com/cp/csf.html and ban them manually if you can't use it to automatically ban them. I think there is a setting to do it. :)

TrafficRush 05-24-2013 01:39 AM
theres a patch for that!

mineistaken 05-24-2013 03:35 AM
Quote:
Originally Posted by TrafficRush (Post 19638388)
theres a patch for that!
If you mean for attacks then I installed wp harden plugin which redirects wp-login.php to home page.

Now I am looking for patch to see accurate awstats. Because now my numbers are inflated by bots and stats are basically useless, no idea how many of those are real visitors, how many bots.

nico-t 05-24-2013 03:46 AM
same here, seems like almost every wordpress site has this. What are those bots trying to accomplish? No way the passes can be cracked. Seems so useless in my opinion.

Barry-xlovecam 05-24-2013 05:21 AM
https://illuminatikarate.com/blog/ex...stats-reports/

It's in the conf file. You can exclude static IP addresses too.

mineistaken 05-24-2013 08:11 AM
Quote:
Originally Posted by Barry-xlovecam (Post 19638578)
https://illuminatikarate.com/blog/ex...stats-reports/

It's in the conf file. You can exclude static IP addresses too.
Very nice, however I have an issue: I installed harden wp plugin so hits to wp-login.php are redirected to home page, meaning that awstats would count them because it won't be backend hit (I assume).
Its either I prevent attacks (by using harden wp) but have compromised awstats or I do not prevnt attacks but fix awstats using this method :)

geirlur 05-24-2013 09:30 AM
I had the same problem but I've only allowed my IP to access the loginpage and now I get accurate (and disappointing) stats. It was my host who sat it up so don't ask me how :)

btw for blogs I like to use the jetpack stats rather than awstats, it's real time too..

d-null 05-24-2013 11:01 AM
it's even worse if you are running forums :2 cents:

PornDiscounts-V 05-24-2013 11:23 AM
Ban ip's for unsuccessful logins

SplatterMaster 05-24-2013 11:49 AM
EDIT** Never mind. Looking at the directory structure online wp-login.php is in the root directory.

Dankasaur 05-24-2013 12:03 PM
Use a more advanced statistics program.

SplatterMaster 05-24-2013 12:25 PM
Here's a trick you can try. I haven't tried it but it looks like it should work.

Password protect your admin directory with .htacess and then use .htaccess to filematch that protection to your login.php file.

http://www.inmotionhosting.com/suppo...n-php-attempts

EnterpriseVpsSolutions 05-24-2013 08:56 PM
Only allow access from your static ips to the admin section deny all else.

Fat Panda 05-24-2013 09:27 PM
yup use htaccess to only allow your ip in admin

fris 05-25-2013 07:09 AM
htaccess block everyone from admin, do signups via the front end and disable redirection to admin after signup

~Ray 05-25-2013 09:34 AM
what would that htaccess command look like?

fris 05-25-2013 11:41 AM
Quote:
Originally Posted by ~Ray (Post 19640224)
what would that htaccess command look like?
Code:
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
file placed in wp-admin dir

fris 05-25-2013 11:42 AM
or this

Code:
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
</Files>

brassmonkey 05-25-2013 12:36 PM
http://wordpress.org/plugins/hc-custom-wp-admin-url/ :)

BareBacked 05-25-2013 01:05 PM
this is a huge pain in the ass

mineistaken 05-25-2013 04:33 PM
Quote:
Originally Posted by EnterpriseVpsSolutions (Post 19639763)
Only allow access from your static ips to the admin section deny all else.
Question - does awstats count denied visitors? I mean those would still technically hit the site (and show up on the stats?).

geirlur 05-26-2013 07:06 AM
Quote:
Originally Posted by mineistaken (Post 19640624)
Question - does awstats count denied visitors? I mean those would still technically hit the site (and show up on the stats?).
Doesn't show up for me

tahiti 05-29-2013 12:52 AM
Quote:
Originally Posted by mineistaken (Post 19637929)
What pisses me off is that my stats (awstats etc) gets messed up by them, there is no way to have accurate stats because more hits are from bots than from actual visitors.
/rant
10000's of plugin to autoban after x attempts.

KaliC 05-29-2013 01:22 AM
Quote:
Originally Posted by mineistaken (Post 19637929)
What pisses me off is that my stats (awstats etc) gets messed up by them, there is no way to have accurate stats because more hits are from bots than from actual visitors.
/rant
You can change this file name with no issues.

Captain Kawaii 05-29-2013 01:26 AM
Great thread. Thanks for the experts pitching in. Shit is frustrating.


All times are GMT -7. The time now is 07:32 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc