Last active
May 22, 2019 12:50
-
-
Save hiranthi/5656389 to your computer and use it in GitHub Desktop.
Een combinatie van PHP & .htaccess om ongewenste bezoekers aan je wp-login.php (zoals de brute force attackers) weg te leiden van je wp-login.phpCheck http://onexa.nl/wordpress/brute-force-attacks-wp-login-php-verminderen/ voor meer uitleg hier over.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Blocking Spammers Section ### | |
# Stop protected folders from being narked. Also helps with spammers | |
ErrorDocument 401 /401.html # this file should be added, check http://halfelf.org/2013/wp-login-protection-htaccess/ | |
# Stop spam attack logins and comments - http://halfelf.org/2013/wp-login-protection-htaccess/ | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteCond %{REQUEST_METHOD} POST | |
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php* | |
RewriteCond %{HTTP_REFERER} !.*(domain1.com|domain2.nl).* [OR] | |
RewriteCond %{HTTP_USER_AGENT} ^$ | |
RewriteRule (.*) https://%{REMOTE_ADDR}/$ [R=301,L] | |
</ifModule> | |
### End Blocking Spammers Section ### | |
# Redirect the default WP redirect login URL back to the frontpage (domain.com/login/ automatically redirects to the current WP login URL) | |
RewriteEngine on | |
RewriteBase / | |
RewriteRule ^login/?(.*?) https://domain.com/ [R=301,L] | |
# Rewriting for better login, incl logout & lostpassword support | |
RewriteRule ^more-secure-login/lostpassword/?$ /wp-login.php?secure=XXXXXXXXX&action=lostpassword [NC,L] # $secret_login + $secret_lostpw | |
RewriteRule ^more-secure-login/?$ /wp-login.php?secure=XXXXXXXXX [NC,L] # $secret_login | |
RewriteRule ^custom-logout/?(.*?)/?$ /wp-login.php?secure=XXXXXXXXX&%{QUERY_STRING} [NC,L] # $secret_logout | |
# -> Default WordPress .htaccess stuff should go here |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/* | |
Plugin Name: Redirect wp-login.php | |
Description: Redirect non-wanted wp-login.php visitors | |
Version: 1.0 | |
Author: Onexa | |
Author URI: https://onexa.nl | |
*/ | |
global $secret_login, $secret_lostpw, $secret_logout; // making the vars global | |
# as given in .htaccess -> domain.com/more-secure-login by default (only last part of the URL is needed) | |
$secret_login = 'more-secure-login'; | |
$secret_lostpw = 'lostpassword'; # for the lost password page, combines $secret_login with $secret_lostpw | |
$secret_logout = 'custom-logout'; # same, but for the logout URL | |
$secret_key = 'XXXXXXXXX'; # the secret key-value that's given in the URL, must be the same as in the .htaccess | |
/** | |
* Making sure the wp-login.php is requested with the secure key attached to it | |
* | |
* @since 1.0 | |
* @author Hiranthi Herlaar | |
*/ | |
function onx_redirect_login() | |
{ | |
global $secret_key; | |
if ( ( ! isset( $_GET['secure'] ) ) && ( $_GET['secure'] != $secret_key ) ) | |
{ | |
wp_redirect( get_option( 'home' ) ); | |
die(); | |
} | |
} // end onx_secure_login | |
add_action( 'login_head', 'onx_redirect_login' ); | |
/** | |
* Filtering the wp-login URL, to make sure the correct URL is given in mails (new registered users, password forgotten) | |
* | |
* @since 1.0 | |
* @author Hiranthi Herlaar | |
* | |
* @var string $url - contains the login URL (required) | |
* @var string $redirect - the URL to redirect to after login (not required) | |
*/ | |
function onx_login_url( $url, $redirect = '' ) | |
{ | |
global $secret_login; | |
$login_url = trailingslashit( get_option( 'home' ) ) . $secret_login; | |
if ( !empty($redirect) ) | |
$login_url = add_query_arg( 'redirect_to', urlencode( $redirect ), $login_url ); | |
return $login_url; | |
} // end onx_login_url | |
add_filter( 'login_url', 'onx_login_url', 999, 2 ); | |
/** | |
* Filtering the site_url() and get_site_url() URLs if they contain wp-login.php (ie the form action URL on the login page) | |
* | |
* @since 1.0 | |
* @author Hiranthi Herlaar | |
* | |
* @var string $url - contains the URL (required) | |
*/ | |
function onx_login_action_url( $url ) | |
{ | |
if ( strstr( $url, 'wp-login.php' ) ) | |
{ | |
global $secret_login; | |
return trailingslashit( get_bloginfo('wpurl') ) . $secret_login; | |
} | |
// this isn't a URL containing wp-login.php so just return the URL that we already had | |
return $url; | |
} // end onx_login_url | |
add_filter( 'site_url', 'onx_login_action_url', 999 ); | |
/** | |
* Filtering the logout URL, to make sure the correct URL is given in mails (new registered users, password forgotten) | |
* | |
* @since 1.0 | |
* @author Hiranthi Herlaar | |
* | |
* @var string $url - contains the logout URL (required) | |
* @var string $redirect - the URL to redirect to after logout (not required) | |
*/ | |
function onx_logout_url( $url, $redirect = '' ) | |
{ | |
global $secret_logout; | |
$args = array( 'action' => 'logout' ); | |
if ( !empty($redirect) ) | |
$args['redirect_to'] = urlencode( $redirect ); | |
$logout_url = trailingslashit( get_option( 'home' ) ) . $secret_logout; | |
$logout_url = add_query_arg( $args, $logout_url ); | |
$logout_url = wp_nonce_url( $logout_url, 'log-out' ); | |
return $logout_url; | |
} // end onx_login_url | |
add_filter( 'logout_url', 'onx_logout_url', 999, 2 ); | |
/** | |
* Filtering the lost password URL | |
* | |
* @since 1.0 | |
* @author Hiranthi Herlaar | |
* | |
* @var string $url - contains the lost password URL (required) | |
* @var string $redirect - the URL to redirect to (not required) | |
*/ | |
function onx_lostpassword_url( $url, $redirect = '' ) | |
{ | |
global $secret_login, $secret_lostpw; | |
$args = array( 'action' => 'lostpassword' ); | |
if ( !empty($redirect) ) | |
$args['redirect_to'] = urlencode( $redirect ); | |
$url = trailingslashit( get_option( 'home' ) ) . trailingslashit( $secret_login ) . $secret_lostpw; | |
$url = add_query_arg( $args, $logout_url ); | |
return $url; | |
} // end onx_login_url | |
add_filter( 'lostpassword_url', 'onx_lostpassword_url', 999, 2 ); | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment