今天登陆webhostingpad.com主机的wordpress博客居然显示Wordpress administrator area access disabled temporarily due to widespread brute force attacks.后来登陆webhostingpad.com网站询问在线工作人员才知道他们为了防止僵尸攻击而特意弄的,于是他给了我一个解决方法:https://support.webhostingpad.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=239&nav=0,但是从中貌似隐约地感受到中美网络大战的身影。改链接显示的内容是:Recently we have discovered that a widespread brute force attack has been taking place against WordPress sites.
The brute force attack is being executed through a large botnet which is composed of thousands of unique IP addresses all across the world. The attackers are attempting to guess the WordPress administrator panel username and password with their botnet again and again to try and gain access to the site.
*!* The attack is not just isolated to Webhostingpad, this attack is happening on a global scale across multiple hosting providers. *!*
*!* We STRONGLY recommend updating your WordPress administrator password to something very secure. *!*
Minimum password recommendations:
- At least 8 characters total
- Mixture of upper and lower-case letters
- Numbers and special characters, such as punctuation or other non-alphanumeric characters
Example of a weak password: password123
An improved strong password: cooquu6Hiem$
What we are doing:
When this issue first arrived we put in place security rules on all of our servers which would check failed login attempts to WordPress wp-login.php page. If there are more than 5 failed login attempts within 3 minutes, then any further login attempts will be blocked. This worked fine until the attack became much larger, due to the massive scale of the attack we were force to globally deny access to wp-login.php on our servers.
Regain access to your WordPress administrator panel:
If you are no longer able to login to your WordPress site due being blocked by our security rules, you can use your site's .htaccess file to only allow requests from your computer's local IP address.
*!* If you have either a dynamic IP address, or you access WordPress from multiple devices, each IP address that you access WordPress with would also need to be allowed in your .htaccess file. *!*
In order to find out your local computer's IP address, you can simply visit the following URL: http://icanhazip.com/
After you have your local IP address, you can follow these steps in order to lock down your WordPress site to only permit logins from your IP address:
1. Login to cPanel.
2. Under the Files section, click on the File Manager icon.
3. From the Document Root for: drop-down, select your WordPress site.
4. Make sure that Show Hidden Files is checked.
5. Click Go.
6. Right-click on your .htaccess file, then click on Edit.
7. You may have a dialog pop-up from the text editor, go ahead and click Edit.
8. Now you can just paste in the following code, being sure to replace the x.x.x.x IP address with your own:
<Files ~ "^wp-login.php">
Order deny,allow
Deny from allAllow from x.x.x.x
</Files>
9. You should be able to access your wp-login.php right away.
说多了也就是把
<Files ~ "^wp-login.php">
Order deny,allow
Deny from allAllow from x.x.x.x
</Files>
添加到你的.htaccess文件里,步骤是首先打开ftp,找到.htaccess文件,然后把以上代码插入到其文件最上面,其中的X.X.X.X换成你平时家里登陆的ip地址,保存上传就可以登陆wordpress后台了。但是我询问了客服是否每次在不同的ip登陆wordpress都要添加本地ip,他说应该不要,只要现在把问题解决了就不会了,但是我还是持怀疑态度。
由于我的宽带网是动态ip,每次要登录ftp或者后台添加ip很麻烦,所以后来删除了以上代码,发现每次登录只要输入验证码就可以了,所以以上方法只是适合规定上网ip的朋友了。小心哦,输入wordpress后台密码三次后你的ip就会被锁掉。
博主,你那个侧边栏的登陆框你不觉得很不搭调吗,缺乏了 css的效果哦
我这里有一个教程就是针对wesky增加左侧登陆栏的,你去看下吧,我使用的主题是wesky的定制版
http://asheblog.org/archives/1388.html
非常感谢。。已经用上!!