Block brute force on wordpress wp-login ?

[TomUK]

Hi,

Is is possible to configure Configserver to block IPs which are hammer a site's wordpress wp-login ?

I'm getting loads across different sites on the same server and would like to block at server level.

I already have all wp-admin pages blocked by http auth but robots are still hammering at wp-login, which creates load on server.

Thanks.

Tom.

[GiraffeDog]

I'd love to chip in and beg for this request too.

If anyone has anything that can help I'd love to hear from you.

Creating a plugin that communicated with my your server to block all threats would be a great addition to this tool!

[verdonv]

This can be done by using the Fail2Ban plugin for WordPress and then pointing csf/lfd to the right log and using a custom regex. It's simpler than it sounds. I use it successfully. That said, most of these sorts of attacks are distributed, so you have to set the threshold really low to have any impact.

Read this thread
viewtopic.php?f=6&t=6663&p=23704

[ljj]

I use the htaccesss file to whitelist acceptable users and networks to use wp-login. this triggers 403's which are quickly detected by CSF/LFD. I also use a login limiter plug-in as a last resort.

To get around changing IP's on ISP's like Comcast, I whitelist all their dynamic IP's figuring this at least reduces chances of 99.99% of the world even reaching the file.

/ljj

[marcele]

Easy:

Edit /etc/csf/regex.custom.pm and add:

Code: Select all

# wordpress
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
    return ("Failed Wordpress login from",$1,"wordpress","20","80,443","3600");
}

Then update /etc/csf/csf.conf and change CUSTOM4_LOG to scan your web server access logs. (If they aren't doing so already). Eg. for Plesk: /var/www/vhosts/system/*/logs/access_log

That rule will block brute force attacks to wp-login.php for one hour. If you want to block them permanently just change the 3600 to 1.

[gschaefer]

I made those changes and restarted CSF but how can I tell if it's working?

I am still getting Wordfence alerts saying 'user xx tried to log in and has been blocked etc'
I can't see these IP's in the CSF deny IP lists.

[marcele]

Here is our updated wordpress brute force block code from Juggernaut Firewall:

1. I've added protection for both the login form and the wordpress xmlrpc API.
2. We use /var/www/vhosts/system/*/logs/access_*log for Plesk so it will scan both http and https access_logs.

Edit /etc/csf/regex.custom.pm and add:

Code: Select all

if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
    return ("Failed wordpress login from",$1,"wordpress","10","80,443","86400");
}

Then update /etc/csf/csf.conf and change CUSTOM4_LOG to scan your web server access logs. (If they aren't doing so already). Eg. for Plesk: /var/www/vhosts/system/*/logs/access_*log

[gschaefer]

Many thanks for the update. Have changed the files again and restarted CSF. Will let you know how I go. My VPS server is getting hammered by a botnet trying to brute force wordpress passwords so anything I can do to reduce these attempts is useful..

[gschaefer]

Sorry to report this but it's still not working. The botnet Wordpress login attempts are still happening and the IP's are not being added to CSF deny lists. I also have Wordfence and Brute Force Protection plugins installed on all my sites with extremely hard settings (1 attempt per 1 sec) and they are blocking these attempts but i would prefer to block them at the firewall level.

[marcele]

What kind of server are using using? Plesk , Cpanel ? I know the rule works so you likely have something configured incorrectly. Did you set CUSTOM4_LOG to actually point to your servers access log? If so what did you set it to ?