How To block WordPress Login attacks to 100s of websites on a Shared Server
The script is complete! Currently compatible with cPanel servers.
It creates a new random alphanumeric username and math equation every time it runs. The user is asked to enter the random username and the sum of the two random numbers when accessing any wp-login.php on the server.
1) Run this command in SSH:
2) Open /usr/local/apache/conf/includes/pre_virtualhost_global.conf
Remove any other code which you may have added for wp-login.php HTTP protection and add this line at the beginning of the file:
Now save /usr/local/apache/conf/includes/pre_virtualhost_global.conf
3) Create a shell script, with any name, for example wp-login.sh and add this code:
echo "Generating random username (6 alphanumeric characters)..." username=`cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 6 | head -n 1` echo "Generating two random numbers for math..." n=$RANDOM n1=$((RANDOM%20+10)) n2=$((RANDOM%9+1)) result=$(($n1 + $n2)) echo "Creating and saving configuration file..." CONFFILE="\n <LocationMatch \"wp-login.php\">\n AuthType basic\n AuthName \"WordPress attack protection. Please verify that you are a legitimate user and not an attack bot which attempts to hack this site. DO NOT ENTER HERE YOUR WP-ADMIN USERNAME AND PASSWORD. Enter username: $username Password: The result of math $n1+$n2\"\n AuthUserFile /home/wp-admin-attack-htpasswd-file\n Require valid-user\n </LocationMatch>\n ErrorDocument 401 \"Authentication required\"\n \n" echo -e $CONFFILE > /usr/local/apache/conf/includes/wordpressprotect.conf /bin/chmod 0755 /usr/local/apache/conf/includes/wordpressprotect.conf /bin/rm -f /home/wp-admin-attack-htpasswd-file /usr/local/apache/bin/htpasswd -bc /home/wp-admin-attack-htpasswd-file $username $result /bin/chmod 0755 /home/wp-admin-attack-htpasswd-file echo "Restarting Apache (and nginx if exists)..." /etc/init.d/httpd restart echo "All done!"
Save it and make it executable:
chmod +x wp-login.sh
Now, every time you want to create new HTTP authentication credentials for all wp-login.php files on the server, just run this new script.
Users (or bots ) visiting any wp-login.php file will be seeing the message in the attached screenshot.
You can create a cron job which runs this script as often as you want, to set a new random username and math equation.
For example, for every 15 minutes:
*/15 * * * * /path/to/wplogin.sh Thanks to NetworkPanda on WebHostingTalk.com