massive brute force against wp-login.php (wordpress)

So I get a ticket about high load on a server. Checking logs I see tons of:

POST /wp-login.php HTTP/1.0

and in logs:
– – [13/Aug/2013:13:35:07 -0400] “POST /wp-login.php HTTP/1.0”

Notice all http/1.0 – thanks for making it easy. Dropped with a .htaccess


RewriteEngine On
RewriteCond %{SERVER_PROTOCOL} ^(HTTP/1.0)
RewriteCond %{REQUEST_URI} ^/wp-login.php$
RewriteRule .* - [R=406]

One thought on “massive brute force against wp-login.php (wordpress)”

Leave a Reply

Your email address will not be published. Required fields are marked *