3

One of my sites has been hacked recently. To make it short, i had an old version of wisiya newsletters running wich was used to upload a few files in the wp-content directory. Since then a lot of things has changed regarding the security of this domain.

Among other things i implemented a worldwide blocking for wp-login.php via .htaccess as follows:

<Files wp-login.php>
Order deny,allow
Deny from all
Allow from my.own.static.ip.adress
</Files>

I've compared the accesslogs from before and after the implementation of this change and was pleased with the results. All unauthorized access attempts were blocked with a 403 response.

Until today.... Sucuri informed me via Email that someone must have gotten access to the login form and has sent a single login request to the server.

IP Address: 192.96.204.237

Notification:
User authentication failed: admin

This was after i changed the .htaccess file... As i'm still fairly new to apache and security in general, can someone explain to me how this is even possible?

Kind regards, Michael

Michael Uszleit
  • 31
  • 2
  • Maybe you should remove WordPress specifics. Its actually a very interesting question. I wonder about some more specifics. What’s the version of Apache you are using? Apache 2.4? As for improving your setup. It would be better if you used the VirtualHost block instead of an .htaccess file. You could also forbid POST through rewrite. Another thing you could do is add on your browser an HTTP header (e.g. Modify Headers Google Chrome extension) and have a WordPress hook at the `login_head`. – renoirb Feb 18 '15 at 21:26

1 Answers1

0

It's possible there is some Allow directive somewhere that is causing them to be granted access. Try enabling mod_info and pull up the mod_info page and do a case insensitive search for all instances of "allow" (no quotes) to see if there are any directives which could be doing this.

http://httpd.apache.org/docs/2.2/mod/mod_info.html

g491
  • 973
  • 5
  • 7