Skip to content

Instantly share code, notes, and snippets.

@badcrc
Last active August 29, 2015 13:56
Show Gist options
  • Save badcrc/8977386 to your computer and use it in GitHub Desktop.
Save badcrc/8977386 to your computer and use it in GitHub Desktop.
Block wordpress bruteforce wp-login.php attack when the apache is behind a proxy and send the real IP in the X-Forwarded-For header.
<Files wp-login.php>
Order deny,allow
Deny from all
#Single IP
SetEnvIF X-Forwarded-For "x.x.x.x" AllowIP
#IP Range (example for a XXX.XXX.0.0/16)
# http://stackoverflow.com/questions/17967294/how-can-i-make-a-regular-expression-for-ip-address-with-subnetmask
SetEnvIF X-Forwarded-For "^XXX\.XXX\.(?:[0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.(?:[1-9][0-9]?|1[0-9]{2}|2[0-4][0-9]|25[0-4])$" AllowIP
Allow from env=AllowIP
</Files>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment