We herhalen het nog maar eens!
The bruteforce attacks against WordPress and Joomla login pages - as written here already: https://www.helpburo.eu/index.php?/News/NewsItem/View/67/massale-brute-force-pogingen-op-wordpress-sites - are getting worse all over the internet, not only on your server.
Even worse are the WordPress xmlrpc pingback attacks which are well known
since years - see here a description and also a solution to this
problem: http://perishablepress.com/wordpress-xmlrpc-pingback-vulnerability/
The problem is, that the attacks are coming from thousands of IPs in parallel, which even overloads those plug-ins. There exists currently only one solution:
1) Joomla installations
Use Plesk or DirectAdmin frontend to password-protect the directory /administrator of the Joomla installation
2) WordPress installations
For WordPress, we must password-protect the access to the file wp-login.php, as this one is opened directly by the attackers. This must be done manually:
a) create a .htpasswd file, either manually on the server or with an online tool like http://www.htaccesstools.com/htpasswd-generator/
b) place the .htpasswd file in the base directory of your WordPress installation
c) create in the base directory of your WordPress installation a .htaccess file with the following lines - if already a .htaccess file exists, add those lines to the absolute top of the file:
# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
# Protect wp-login
<Files wp-login.php>
AuthUserFile /YYYYY/.htpasswd
AuthName "Private access"
AuthType Basic
require user XXXXX
</Files>
- replace the XXXXX with the username you used in the .htpasswd file.
- replace /YYYYY with the full path to your hosting directory, eg:
/var/www/vhosts/testdomain.nl/httpdocs/.htpasswd (Plesk style)
/home/user/domains/testdomain.nl/public_html/.htpasswd (DirectAdmin style)
For server owners:
THIS MUST BE DONE FOR ALL WORDPRESS OR JOOMLA INSTALLATIONS ON THE SERVER!