CSF help for WordPress /wp-login.php and /xmlrpc.php DDOS

[brianoz]

Does anyone have a working set of rules they use with CSF to help reduce impact from repeated login attempts on WordPress?

These attempts take place with /xmlrpc.php (multiple attempts in one post) and /wp-login.php (single attempt). Often one IP will try many, many times (eg yesterday, 3000 in 2 days).

It would help a lot if CSF was able to auto-block them with some built-in solution; far more robust than putting in our own home-grown rules. This is fairly significant and can affect server performance tremendously. We'd obviously want some form of rate detection and then subsequent blocking. If it eventually worked for Joomla as well that would be amazing.

Is there a way to trigger an existing ruleset by modifying WordPress's behaviour for a failed login? That would be a nice interim measure, although the absolute magic lies in blocking multiple attempts from the default failed login behaviour.

Brian

[Smjork]

If all those Wordpress sites belong to you then you may very well use .htaccess to restrict acces to xml-rpc.php and wp-login ONLY from a specified list of IP addresses (your home, your office, etc)
See the example below:

<Files "xmlrpc.php">
order deny,allow
deny from all
allow from 123.456.789.012
allow from 234.567.890.123
</Files>

<Files "wp-login.php">
order deny,allow
deny from all
allow from 123.456.789.012
allow from 234.567.890.123
</Files>

... and if the server belongs to you then you can use one of fail2ban's filters to block any other IP which attempts to access those two files.

I know it has nothing to do with csf/lfd but it works