Configuring WordPress to reject bogus wp-login.php requests

• April 10, 2015
• technology  
• hackers  
• security  
• wordpress  

Invalid HTTP POST requests to /wp-login.php are by far the most common attack I see against my WordPress blog. For some unknown reason the vast majority of those attacks are from computers in Italy (see my first and second articles about it). These .htaccess rules block them:

# Block bogus login post attempts. Most bots are stupid. They don't use a
# modern HTTP header, don't include the referer header, or don't include the
# WP cookie that would be included in a legitimate request.
#
# This is primarily so that the logs show a 400 rather than a 200 status
# (which is reported even for invalid credentionals). Thus allowing our log
# monitoring program to notice the bogus attempt and blackhole the source.
RewriteCond %{REQUEST_METHOD} POST [NC]
RewriteCond %{REQUEST_URI} =/wp-login.php [NC]
RewriteCond %{HTTP_REFERER} !^https?:// [NC,OR]
RewriteCond %{HTTP_COOKIE} !wordpress_test_cookie=WP\+Cookie\+check [NC,OR]
RewriteCond %{THE_REQUEST} \sHTTP/(?:0\.9|1\.0)$ [NC]
Rewriterule ^ blocked.php [NC,END,E=error-notes:invalid-wp-login-post]

See my previous article for information about the blocked.php module.