Another layer of security for WordPress

A simple way of deflecting brute-force attacks is to require an additional password to access the WordPress login screen. Lots of security plugins will do this for you, but again, sometimes it’s better to DIY.

I put a .htaccess file in the wp-admin directory and that almost completely worked, but mystifyingly, and irritatingly, there would be regular failed login attempts. Not very often. About very 20 minutes or so. But I was irked (I tell you), as I couldn’t work out why they were happening.

My .htaccess file looked a bit like this:

<RequireAll>
AuthName "my site"
AuthType Basic
AuthUserFile <myauthfile>
Require valid-user
</RequireAll>

A few searches made references to differences between apache 2.2 and 2.4, and I thought that perhaps it was a syntax thing. But that didn’t seem to be it.

I did two things in the end, so I’m not sure what fixed it.

  1. I modified the .htaccess entry to specifically reference the file wp-login.php.
  2. I moved the .htaccess file to the parent directory.

So the relevant code looks something like:

<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secret stuff"
AuthUserFile <my auth file>
Require valid-user
</FilesMatch>

Disable xmlrpc.php

Thanks to the Simple History plugin, the first thing I noticed on my new WordPress install was hundreds of brute-force login attempts:

Anonymous user from x.x.x.x 4:25 pm (less than a minute ago)              Failed to login with         username "dougie" (incorrect password entered) warning       Showing 212 more     

And then more alarmingly, immediately the same thing on a new test user I set up a few minutes later. Of course, just because frustratingly I can’t work out how the attacker extracts the new WP username immediately doesn’t mean it ain’t happening. But the attack vector, so to speak, was the xmlrpc.php file.

Several ways to tackle this, and initially I used a security plugin to fix it. But given the choice, I’d rather do things like this manually so I have a better idea what’s going on, and maybe learn something too.

I pasted the code suggested from https://www.hostinger.com/tutorials/xmlrpc-wordpress into my .htaccess file:

    # Block WordPress xmlrpc.php requests
    <Files xmlrpc.php>
    order deny,allow
    deny from all
    allow from xxx.xxx.xxx.xxx
    </Files>

changing the allow from to the static IP for my regular connection, although strictly speaking I don’t think I need that and will try taking it out altogether sometime.

Publishing failed – JSON error

Migrating WP blog to my VM. New install of WordPress. Test posts with Guttenberg (Block) Editor. Following error:

Publishing failed. Error message: The response is not a valid JSON response.
Publishing failed. Error message: The response is not a valid JSON response.

An interesting rabbit hole. Lots of searches rightly suggested that using the classic editor would get round the problem. Or that by changing the permalinks settings to Plain would fix it. It did, but not much help if you want your permalink settings set to something else.

Eventually I discovered that the issue for me was with the .htaccess file not being processed, which was fixed by adding something along the lines of

<Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

to the /etc/apache2/apache2.conf file (on Debian Buster). This worked for me, but I get the impression it’s better practice to edit the files in /etc/apache2/sites-available instead for any local code in case apache2.conf gets overwritten on an upgrade. Probably also need to do a:

a2enmod rewrite
systemctl restart apache2

So for me the cause of the error message was quite obscure. Useful link: