1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Russian hackers

Discussion in 'Security' started by Jeffr2014, Jan 7, 2016.

  1. #1
    In the past 8 hours one of my sites is under attack by Russian hackers, I see over 200 Russian IP addresses being locked out by Wordfence plugin. This is an academic blog that has absolutely nothing to do with Russia, so I am unsure why it became a target... It is on shared hosting rather then VPS, is there any way to block traffic from Russia, Ukraine, Belarus, Kazahstan, etc. using .htaccess? In fact, 95% of relevant traffic for this blog is coming from USA, Canada, UK, India, and Australia, so it would be nice to limit it only to these 5 countries... I know that it is possible with iptables on VPS, but never seen it done with .htaccess. Listing IP blocks per country will make it really slow... Any creative ideas?
    SEMrush
     
    Solved! View solution.
    Jeffr2014, Jan 7, 2016 IP
    SEMrush
  2. Jeffr2014

    Jeffr2014 Active Member

    Messages:
    254
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    55
    #2
    Apparently, we've become victims of some kind of Russian hacking contest: they pick a site and whoever breaks in first gets the bragging rights :-(
     
    Jeffr2014, Jan 7, 2016 IP
  3. #3
    1. Rename the login pages. 2. If still the attack continues contact your hosting provider to enable some firewall or go offline for some hours.
    3. Let the traffic pass via Cloudflare.
     
    Zoti Media Group, Jan 7, 2016 IP
    Jeffr2014 likes this.
  4. Jeffr2014

    Jeffr2014 Active Member

    Messages:
    254
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    55
    #4
    Thanks a lot.
    Re #1: You mean to rename wp-login.php to something else, correct?
    Re #2: Called hosting provider (JustHost), they suggested not to worry as their firewall detects these, but Wordfence blocks out IPs before their firewall can react. I am actually quite impressed with their hosting, with 450 blocked IPs (during the 9.5 hours the site is under attack) the site was down only once for 8 minutes.
    Re #3: Yes, I should try this if attack doesn't stop.
     
    Jeffr2014, Jan 7, 2016 IP
  5. Zoti Media Group

    Zoti Media Group Notable Member

    Messages:
    1,572
    Likes Received:
    108
    Best Answers:
    2
    Trophy Points:
    215
    Digital Goods:
    2
    #5
    Yes, please rename the wp-login and wp admin login pages and if justhost promises it you should still not trust it. Just make a offline backup to be secure ;)
     
    Zoti Media Group, Jan 7, 2016 IP
  6. Jeffr2014

    Jeffr2014 Active Member

    Messages:
    254
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    55
    #6
    Thanks again. Is "wp admin login pages" are admin.php and index.php in wp-admin folder?
    Re backup: I already have full offline backup of the site.
     
    Jeffr2014, Jan 7, 2016 IP
  7. Jeffr2014

    Jeffr2014 Active Member

    Messages:
    254
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    55
    #7
    Thanks +Zoti Media Group, you get the best answer. After renaming wp-login all attacks stopped.
     
    Jeffr2014, Jan 7, 2016 IP
    Zoti Media Group likes this.
  8. mohsin qureshi

    mohsin qureshi Active Member

    Messages:
    165
    Likes Received:
    19
    Best Answers:
    1
    Trophy Points:
    63
    #8
    Great, the problem is solved. Congratulations Jeffr :)
     
    mohsin qureshi, Jan 7, 2016 IP
  9. magmark

    magmark Active Member

    Messages:
    151
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    68
    #9
    magmark, Jan 21, 2016 IP
  10. Puntocom81

    Puntocom81 Banned

    Messages:
    80
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    35
    #10
    You should protect wp-login.php with a good htaccess password.
     
    Puntocom81, May 17, 2016 IP
  11. TRUE Media Partner

    TRUE Media Partner Member Affiliate Manager

    Messages:
    31
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    33
    #11
    You can change default service urls via .htaccess.
    For example:
    
    # BEGIN Hide console URL
    <IfModulemod_rewrite.c>
    RewriteEngineOn
    
    RewriteRule^custom_admin_url/?$/wp-login.php?your_secret_key[R,L]
    
    RewriteCond%{HTTP_COOKIE}!^.*wordpress_logged_in_.*$
    RewriteRule^custom_admin_url/?$/wp-login.php?your_secret_key&redirect_to=/wp-admin/[R,L]
    
    RewriteRule^custom_admin_url/?$/wp-admin/?your_secret_key[R,L]
    
    RewriteCond%{SCRIPT_FILENAME}!^(.*)admin-ajax\.php
    RewriteCond%{HTTP_REFERER}!^(.*)yoursite.c.o.m/wp-admin
    RewriteCond%{HTTP_REFERER}!^(.*)yoursite.c.o.m/wp-login\.php
    RewriteCond%{HTTP_REFERER}!^(.*)yoursite.c.o.m/custom_admin_url
    RewriteCond%{QUERY_STRING}!^your_secret_key
    RewriteCond%{QUERY_STRING}!^action=logout
    RewriteCond%{QUERY_STRING}!^action=rp
    RewriteCond%{QUERY_STRING}!^action=postpass
    RewriteCond%{HTTP_COOKIE}!^.*wordpress_logged_in_.*$
    RewriteRule^.*wp-admin/?|^.*wp-login\.php/not_found[R,L]
    
    RewriteCond%{QUERY_STRING}^loggedout=true
    RewriteRule^.*$/wp-login.php?your_secret_key[R,L]
    </IfModule>
    # END Hide console URL
    Code (markup):
    Where
    custom_admin_url - new admin panel url
    yoursite.c.o.m - your site domain (without http)
    your_secret_key - secret key (like password, "sd782kjds")

    After applying all changes the new admin panel url will be "yoursite.c.o.m/custom_admin_url"
     
    TRUE Media Partner, May 17, 2016 IP
    Jeffr2014 likes this.
  12. Amelie001

    Amelie001 Greenhorn

    Messages:
    12
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #12
    Congrats if your problem has been solved. I would suggest to rename the login page also.
     
    Amelie001, May 24, 2016 IP