Foiling WordPress Login Attacks

The other day I read an article concerning attacks on WordPress wp-login.php. The solution was fairly simple, rename wp-login.php and all references to the the file within the WordPress software to an uncommon name. However this is cumbersome to do and maintain, and in addition you have to do this for some themes and plugins that make reference to wp-login.php.

I came up with an alternative and simpler solution. While not perfect (particularly if you have several blog authors), a simple work around to the problem is use a double-login by forcing HTTP authentication in the web browser for access to wp-login.php.

If you are using Apache, then within your blog’s <VirtualHost> block add:

<Files wp-login.php>
  AuthName "Blog Login Page"
  AuthUserFile "/path/to/blog/root/.htpasswd"
  AuthType Basic
  Require valid-user
</Files>

Then create a .htpasswd file, preferable with a different user name and password from the blog login. Voilà! Done!

Update:

Have you lost your password?

So today I wake, sit for breakfast, and turn on my Nexus 7 to get my morning dose of Slashdot, CNET News, and Twitter. I go through the typically routine and also check for application updates — oh goody new Firefox Beta and Google Keyboard. Tap update all.

Ding! Up pops a screen; Google Keyboard app. asking for new permissions: Network Communication and Read Your Contact Info. Really?! In a keyboard application? (Yes people app. is an abbreviation for application and not a trademark as Apple would like to think.) You got to be kidding me! In light of this week’s public exposure of the NSA’s surveillance of the American Public’s phone metadata, Google really wants you to let their keyboard application have network access! WHAT THE FUCK FOR!?

This just begs the question if Google is being secretly compelled by the NSA to install key-logger software to collect your passwords and your contact information. Or maybe Google is going to offer a new lost password search service.

NSA Related stories: