Page 1 of 2
Block brute force on wordpress wp-login ?
Posted: 02 Aug 2015, 17:11
by TomUK
Hi,
Is is possible to configure Configserver to block IPs which are hammer a site's wordpress wp-login ?
I'm getting loads across different sites on the same server and would like to block at server level.
I already have all wp-admin pages blocked by http auth but robots are still hammering at wp-login, which creates load on server.
Thanks.
Tom.
Re: Block brute force on wordpress wp-login ?
Posted: 29 Sep 2015, 21:00
by GiraffeDog
I'd love to chip in and beg for this request too.
If anyone has anything that can help I'd love to hear from you.
Creating a plugin that communicated with my your server to block all threats would be a great addition to this tool!
Re: Block brute force on wordpress wp-login ?
Posted: 16 Oct 2015, 20:10
by verdonv
This can be done by using the Fail2Ban plugin for WordPress and then pointing csf/lfd to the right log and using a custom regex. It's simpler than it sounds. I use it successfully. That said, most of these sorts of attacks are distributed, so you have to set the threshold really low to have any impact.
Read this thread
viewtopic.php?f=6&t=6663&p=23704
Re: Block brute force on wordpress wp-login ?
Posted: 16 Oct 2015, 22:01
by ljj
I use the htaccesss file to whitelist acceptable users and networks to use wp-login. this triggers 403's which are quickly detected by CSF/LFD. I also use a login limiter plug-in as a last resort.
To get around changing IP's on ISP's like Comcast, I whitelist all their dynamic IP's figuring this at least reduces chances of 99.99% of the world even reaching the file.
/ljj
Re: Block brute force on wordpress wp-login ?
Posted: 17 Oct 2015, 12:03
by marcele
Easy:
Edit /etc/csf/regex.custom.pm and add:
Code: Select all
# wordpress
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
return ("Failed Wordpress login from",$1,"wordpress","20","80,443","3600");
}
Then update /etc/csf/csf.conf and change CUSTOM4_LOG to scan your web server access logs. (If they aren't doing so already). Eg. for Plesk: /var/www/vhosts/system/*/logs/access_log
That rule will block brute force attacks to wp-login.php for one hour. If you want to block them permanently just change the 3600 to 1.
Re: Block brute force on wordpress wp-login ?
Posted: 11 Mar 2017, 01:00
by gschaefer
I made those changes and restarted CSF but how can I tell if it's working?
I am still getting Wordfence alerts saying 'user xx tried to log in and has been blocked etc'
I can't see these IP's in the CSF deny IP lists.
Re: Block brute force on wordpress wp-login ?
Posted: 11 Mar 2017, 17:52
by marcele
Here is our updated wordpress brute force block code from Juggernaut Firewall:
1. I've added protection for both the login form and the wordpress xmlrpc API.
2. We use /var/www/vhosts/system/*/logs/access_*log for Plesk so it will scan both http and https access_logs.
Edit /etc/csf/regex.custom.pm and add:
Code: Select all
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
return ("Failed wordpress login from",$1,"wordpress","10","80,443","86400");
}
Then update /etc/csf/csf.conf and change CUSTOM4_LOG to scan your web server access logs. (If they aren't doing so already). Eg. for Plesk: /var/www/vhosts/system/*/logs/access_*log
Re: Block brute force on wordpress wp-login ?
Posted: 11 Mar 2017, 22:11
by gschaefer
Many thanks for the update. Have changed the files again and restarted CSF. Will let you know how I go. My VPS server is getting hammered by a botnet trying to brute force wordpress passwords so anything I can do to reduce these attempts is useful..
Re: Block brute force on wordpress wp-login ?
Posted: 12 Mar 2017, 02:22
by gschaefer
Sorry to report this but it's still not working. The botnet Wordpress login attempts are still happening and the IP's are not being added to CSF deny lists. I also have Wordfence and Brute Force Protection plugins installed on all my sites with extremely hard settings (1 attempt per 1 sec) and they are blocking these attempts but i would prefer to block them at the firewall level.
Re: Block brute force on wordpress wp-login ?
Posted: 12 Mar 2017, 16:05
by marcele
What kind of server are using using? Plesk , Cpanel ? I know the rule works so you likely have something configured incorrectly. Did you set CUSTOM4_LOG to actually point to your servers access log? If so what did you set it to ?