ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

CSF and Wordpress Practices

https://mail.forum.configserver.com/viewtopic.php?t=9021

Page 1 of 1

CSF and Wordpress Practices

Posted: 15 Oct 2015, 13:07
by ljj
Hi - this is my first post - but I have been an reader of this forum for a long time and learned a great deal.

I run a VPS with a number of low traffic, largely static Wordpress sites. It is Centos based and I use W3TC caching and a CDN to offload the server, which is very underutilized. I run Apache Forked with keep alive.

It is well configured - everything works smoothly - and CSF/LFD do a phenomenal job with the constant stream of probing - as well as outright attacks. With ONE exception... Bots or clients that hit the site with dozens or hundreds of requests for non-existent files. When this happens Wordpress happily tries to resolve the error with it's internal 404 response, which of course consumes a chunk of memory. The 404's get logged in Cpanel's "lastest users" log - but I never see them in the Apache error_log. CSF seems to ignore them and takes no action. CSF perfectly handles 404's outside WP - as well as every other rule I've given it to enforce.

Am I missing something? Is there a way to get CSF to recognize these WP 404's???

Thanks very much for any advice,

/ljj

Re: CSF and Wordpress Practices

Posted: 15 Oct 2015, 23:57
by ljj
Let me ask a related question...

CSF/LFD looks at usr/local/apache/logs/error_log by default

error_log shows all 403's but NOT Wordpress 404's
access_log shows all 403's and 404's

But pointing at access_log does not seem to catch anything...

Am I missing something? I have googled for 2 weeks for an answer to this question....

Thank you,

/ljj

Re: CSF and Wordpress Practices

Posted: 17 Oct 2015, 12:19
by marcele
Can you post a sample of the WP 404 error log lines?

Re: CSF and Wordpress Practices

Posted: 17 Oct 2015, 13:57
by ljj
Here's one:

xxx.xxx.xxx.xxx - - [17/Oct/2015:08:56:05 -0400] "GET /foo.foo HTTP/1.1" 404 8684

Re: CSF and Wordpress Practices

Posted: 17 Oct 2015, 17:32
by marcele
After looking at the loginline404 and loginline403 functions in regex.pm it looks like the LF_APACHE_404 and LF_APACHE_404 regex were never designed to stop application based 404 or 403 errors.

I suggest you open a bug report and maybe Chirpy will update the regex to handle these.

Until this get fixed you could add the following rules to /etc/csf/regex.custom.pm to block anyone for one hour who has over 100 - 404 or 403 errors. (make sure to restart LFD after you add them).

Code: Select all

# 404 error
if (($globlogs{LF_HTACCESS}{$lgfile}) and ($line =~ /(\S+).*] "GET .*" 404/)) {
    return ("Application 404 error from",$1,"app404","100","80,443","3600");
}
# 403 error
if (($globlogs{LF_HTACCESS}{$lgfile}) and ($line =~ /(\S+).*] "GET .*" 403/)) {
    return ("Application 403 error from",$1,"app403","100","80,443","3600");
}
I hope this helps

Re: CSF and Wordpress Practices

Posted: 17 Oct 2015, 18:51
by ljj
Awesome... I also changed the location of htaccess to the access_log instead of error_log

Thanks very much....

/ljj
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited