Announcement

Collapse
No announcement yet.

mod_cloudflare

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • mod_cloudflare

    Hi RSP,

    I'm using Cloudflare as cdn for my wordpress, as you know cloudflare act as a proxy.

    Although I turn on mod_security, but recently several of my sites still under brute force attempt to wp-login.php. I have about 10 wordpress site, due to configuration, I cannot use .htpasswd, so my the only option is limit the access ip, but I'm using dynamic ip, it's difficult and troublesome for me to edit the ip everytime I want to login to wp-admi area.

    I wondering whether RSP can consider install mod_cloudflare https://www.cloudflare.com/resources...mod_cloudflare so that in mod_security can reveal the real ip instead of cloudflare ip. Because it show only cloudflare ip, I cannot block those attacks from particular ip, which I don't know where they came from.

    It has been 2 days my blogs are under attack, and I've set cloudflare security settings to I'm under attack, but unfortunately cloudflare did not detect any threat.

    So I believe finding a way to reveal the real ip where the attack come from is an alternative solution.

    Besides that, how to increase the mod_security blocking time from 15 minutes to longer?

    Please advice alternative solutions?

    Thank you.
    Last edited by wjleong; 10-11-2014, 11:06 AM.

  • #2
    You could block access to the login page via .htaccess were it requires a "key" to be able to access it, otherwise access is denied. So basically you would have to pass the secret key as part of the URL to get in ie http://yoursite.com/wp-login.php?mysecretkey There are lots of plug-ins available that lock down your WP sites, but I find I learn more by doing it myself.

    Another way is to only allow access from a certain HTTP referrer. So basically, you would create a secret admin landing page (http://mybrand.com/mysecretlandingpage.php) which has all the links to your admin back ends. You then configure .htaccess to block access to the login page unless the request comes from this secret URL.

    Comment


    • #3
      Hello,

      The following article from our blog can be also useful for protecting your WordPress from brute force attacks:

      WordPress is very popular and that makes it an ideal target for hackers. Check out our 9 proven tricks to protect your WordPress site from attacks


      Best Regards,
      Cvetan Ivanov

      Comment


      • #4
        Originally posted by clivejo View Post
        You could block access to the login page via .htaccess were it requires a "key" to be able to access it, otherwise access is denied. So basically you would have to pass the secret key as part of the URL to get in ie http://yoursite.com/wp-login.php?mysecretkey There are lots of plug-ins available that lock down your WP sites, but I find I learn more by doing it myself.

        Another way is to only allow access from a certain HTTP referrer. So basically, you would create a secret admin landing page (http://mybrand.com/mysecretlandingpage.php) which has all the links to your admin back ends. You then configure .htaccess to block access to the login page unless the request comes from this secret URL.
        Hi clivejo,

        Can you please elaborate more about your method?

        I tried to use least plugins as I've 12 wordpress site, it can boost CPU usage and lead to account suspended.

        Thank you.

        Comment


        • #5
          I think this link details how to make a "secret" login area

          Comment

          Working...
          X