1

Some person is trying to hack my Wordpress site, so I'mma mess with them. They're using a script to POST password guesses directly to the wp-login.php page. I can block this easily enough with my .htaccess file:

<limit POST>
order deny,allow
deny from 188.213.49.210
</limit>

ErrorDocument 403 /fakelogin.php

But POSTs don't redirect to my 403 error page. The fakelogin page, for those curious, forces a download of the entirety of the Lego Movie everytime they guess a password:

<?php
        $file_url = '/rsc/The.Lego.Movie.2014.m4v';
        header('Content-Type: application/octet-stream');
        header("Content-Transfer-Encoding: Binary");
        header("Content-disposition: attachment; filename=\"" . basename($file_url) . "\"");
        echo "Fake page";
        readfile($file_url);
?>

My knowledge of php is limited. How can I perform the above task when he makes a POST to wp-login.php? I'm willing to edit wp-login.php if needed.

Oren Bell
  • 460
  • 1
  • 5
  • 13
  • 1
    This is silly. You can't force the client to accept your redirect or your output, and an automated script likely won't. Just block them, and add CSRF and/or CAPTCHA to your login form so it can't be scripted. Repeatedly serving a huge copyrighted file will tap your bandwidth limit and likely get you banned by your hosting provider for a ToS violation -- assuming Warner Brothers doesn't get to you first. – Alex Howansky Jan 08 '20 at 16:54

1 Answers1

1

Based on your question, Here is a simple solution.

If there is a request form 188.213.49.210 php will redirect to download page.

<?php

$blocked_IP= $_SERVER['REMOTE_ADDR'];

if(preg_match("/188.213.49.210/",$blocked_IP)) { 
header('Location: https://example.com/The._Lego_Movie_2014_download_page.php');
exit; //<-- Here 
}
?>
sanoj lawrence
  • 951
  • 5
  • 29
  • 69