After having thousands of brute force attempt which some were using testcookies payload, I decided to add more security to this blog. Also using suggestion from my friend Kurnia Ramadhan, to force login and administration of this blog to https, but only allow the access to the https port / port 443 to specific IP address, I make some modification to the wp-config and the IPTABLES.
Now lets open the wp-config files, and add the following line before the comment tag “That’s all”
|
1 2 3 |
define('FORCE_SSL_LOGIN', true); define('FORCE_ADMIN_LOGIN', true); // That's all... |
Whenever we want to login, we will be forced to redirect to the HTTPS page. Since HTTP and HTTPS were having diferent port, 80 and 443, it will reduce the bruteforce attempt. Because people usually only doing bruteforce to HTTP or port 80.
Now let’s make our rule in the IPTABLES to allow specific IP address to access the Port 443 / HTTPS, and block another IP address
|
1 2 |
iptables -A INPUT -p tcp --dport 443 -s 111.111.111.111 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j DROP |
Only specified IP address in the IPTABLES would open the HTTPS page.
And that’s the disadvantages if we only allow specific IP address from accessing our “Secure Page”. Problems will occur if someone tried to open our site in the HTTPS version, they will never can load the HTTPS version because their IP is not whitelisted.
We can try another method to secure our Wp-admin access to only specified IP Address, and shows 404 forbidden to another IP by modifying our Nginx configuration files like bellow :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
server { listen 80; listen [::]:80; server_name erawanarifnugroho.com; rewrite ^/(.*) http://www.erawanarifnugroho.com/$1 permanent; } server { listen 80; listen [::]:80; server_name www.erawanarifnugroho.com; access_log off; error_log /home/erawanarifnugroho.com.log; index index.htm index.html index.php; root /home/erawanarifnugroho.com; location /wp-admin{ # whitelisted IP allow 111.111.111.111; } location ~* ^/wp-login.php$ { # whitelisted IP allow 111.111.111.111; deny all; try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:/home/erawanarifn/http/private/php.socket; } try_files $uri $uri/ /index.php; client_max_body_size 2000M; include /etc/nginx/conf.d/cache.conf; include /etc/nginx/conf.d/deny.conf; include /etc/nginx/php.d/webs.conf; } |
Solusi ke 2 boleh juga tu kang 🙂
Akhirnya saya kembali ke solusi ke-2 mas 🙂
Untuk pemakaian HTTPS sepertinya agak lambat, jadi sekarang saya rubah konfigurasi Nginx seperti semula, dan file wp-confignya saya balikin awal 😀