Lock WordPress Login Page with wpLock

Ok, LOCK might be too strong of a word. This little script will NOT make your WordPress installation more secure in any meaningful way. However, it will stop those brute force attacks against your login page, thus decreasing the server load. I wrote this little script a few days ago after noticing unusual server load on my web server, and after analyzing server logs, I found that there where close to 30 different bots trying to brute force their way into the WordPress installation. There are many plugins that will lock the login page out after several incorrect logins, but that still means that the bot will connect to the server and cause it to do work, like running PHP, looking up stuff in the Database, etc. Times that by 30 and you have a lot of parasitic load on your server.

This WordPress blog is a single user blog. This particular technique will not work for a blog with multiple editors and contributors. Basically I made a script that allows you to disable or re-enable the wp-login.php file.

Installation

  1. Get the script from GitHub.
  2. Copy wpLock.php to your WordPress install directory
  3. Rename to something other than wpLock.php. This is security by obscurity, so use something obscure :).

Using

  1. Go to www.yoursite.com/wpLock.php. You of course remembered to rename wpLock.php to something else, right?
  2. Click the Unlock Link, the page will reload and tell you that WP is now UNLOCKED.
  3. Login into WP normally and use it. Logout when done.
  4. Go back to www.yoursite.com/wpLock.php, and click the Lock link.

Updating Word Press

When updating Wordpress, make sure that the login page is unlocked, so that the login.php file can also be updated.

Final Notes

Released under the MIT License. Use it, love it, fork it, make changes, send pull requests. Enjoy!

Code

<?php
    // Settings
    $baseDir = getcwd();
    $onFile = $baseDir . "/wp-login.php";
    $offFile = $baseDir . "/wp-login.php-off";
    $loginUrl = "wp-admin/";
    $self = $_SERVER['PHP_SELF'];
    
    // Lock or Unlock the Login Page and Check Current State
    $locked = false;
    if(isset($_GET['login']) && $_GET['login'] == 'off'){
        if(!file_exists($offFile) && file_exists($onFile)){
            rename ($onFile, $offFile);
        }
        $locked = true;
    }else if(isset($_GET['login']) && $_GET['login'] == 'on'){
        if(file_exists($offFile) && !file_exists($onFile)){
            rename ($offFile, $onFile);
        }
        $locked = false;
    }else{
        if(file_exists($offFile) && !file_exists($onFile)){
            $locked = true;
        }else{
            $locked = false;
        }
    }
?>

<!doctype html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <title>wpLock - Lock and Unlock Word Press Login</title>
    <link rel="stylesheet" href="css/styles.css?v=1.0">
</head>
<body>
    <h1>wpLock</h1>
    <p>Using this page you can lock and unlock the WordPress <a href="<?=$loginUrl?>" target="_new">Login Page</a>
    to prevent all of those annoying bot login attempts.</p>
    <p>
    The <a href="<?=$loginUrl?>" target="_new">Login Page</a> is now <b><?php if($locked){ echo "LOCKED"; }else{ echo "UNLOCKED"; }?></b>.
    Click here to <a href="<?php if($locked){ echo "$self?login=on"; }else{ echo "$self?login=off"; }?>"><?php if($locked){ echo "unlock"; }else{ echo "lock"; }?></a> it.
    </p>
</body>
</html>
Living Off the Grid Under the Sun      Show Server Stats in the Today Sidebar with Today-Scripts and Glimpse


Comments