Block brute force on wordpress wp-login ?

13 posts Page 1 of 2
TomUK
Junior Member
Posts: 10
Joined: 18 Aug 2012, 11:43


Hi,

Is is possible to configure Configserver to block IPs which are hammer a site's wordpress wp-login ?

I'm getting loads across different sites on the same server and would like to block at server level.

I already have all wp-admin pages blocked by http auth but robots are still hammering at wp-login, which creates load on server.

Thanks.

Tom.
Last edited by TomUK on 06 Aug 2015, 11:02, edited 1 time in total.
GiraffeDog
Junior Member
Posts: 4
Joined: 14 Dec 2012, 11:44


I'd love to chip in and beg for this request too.

If anyone has anything that can help I'd love to hear from you.

Creating a plugin that communicated with my your server to block all threats would be a great addition to this tool!
verdonv
Junior Member
Posts: 19
Joined: 18 Nov 2014, 18:54


This can be done by using the Fail2Ban plugin for WordPress and then pointing csf/lfd to the right log and using a custom regex. It's simpler than it sounds. I use it successfully. That said, most of these sorts of attacks are distributed, so you have to set the threshold really low to have any impact.

Read this thread
viewtopic.php?f=6&t=6663&p=23704
ljj
Junior Member
Posts: 6
Joined: 15 Oct 2015, 12:52


I use the htaccesss file to whitelist acceptable users and networks to use wp-login. this triggers 403's which are quickly detected by CSF/LFD. I also use a login limiter plug-in as a last resort.

To get around changing IP's on ISP's like Comcast, I whitelist all their dynamic IP's figuring this at least reduces chances of 99.99% of the world even reaching the file.

/ljj
marcele
Junior Member
Posts: 178
Joined: 17 Sep 2007, 17:02


Easy:

Edit /etc/csf/regex.custom.pm and add:
Code: Select all
# wordpress
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
    return ("Failed Wordpress login from",$1,"wordpress","20","80,443","3600");
}
Then update /etc/csf/csf.conf and change CUSTOM4_LOG to scan your web server access logs. (If they aren't doing so already). Eg. for Plesk: /var/www/vhosts/system/*/logs/access_log

That rule will block brute force attacks to wp-login.php for one hour. If you want to block them permanently just change the 3600 to 1.
gschaefer
Junior Member
Posts: 13
Joined: 18 Jun 2015, 23:32


I made those changes and restarted CSF but how can I tell if it's working?

I am still getting Wordfence alerts saying 'user xx tried to log in and has been blocked etc'
I can't see these IP's in the CSF deny IP lists.
marcele
Junior Member
Posts: 178
Joined: 17 Sep 2007, 17:02


Here is our updated wordpress brute force block code from Juggernaut Firewall:

1. I've added protection for both the login form and the wordpress xmlrpc API.
2. We use /var/www/vhosts/system/*/logs/access_*log for Plesk so it will scan both http and https access_logs.

Edit /etc/csf/regex.custom.pm and add:
Code: Select all
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
    return ("Failed wordpress login from",$1,"wordpress","10","80,443","86400");
}
Then update /etc/csf/csf.conf and change CUSTOM4_LOG to scan your web server access logs. (If they aren't doing so already). Eg. for Plesk: /var/www/vhosts/system/*/logs/access_*log
gschaefer
Junior Member
Posts: 13
Joined: 18 Jun 2015, 23:32


Many thanks for the update. Have changed the files again and restarted CSF. Will let you know how I go. My VPS server is getting hammered by a botnet trying to brute force wordpress passwords so anything I can do to reduce these attempts is useful..
gschaefer
Junior Member
Posts: 13
Joined: 18 Jun 2015, 23:32


Sorry to report this but it's still not working. The botnet Wordpress login attempts are still happening and the IP's are not being added to CSF deny lists. I also have Wordfence and Brute Force Protection plugins installed on all my sites with extremely hard settings (1 attempt per 1 sec) and they are blocking these attempts but i would prefer to block them at the firewall level.
marcele
Junior Member
Posts: 178
Joined: 17 Sep 2007, 17:02


What kind of server are using using? Plesk , Cpanel ? I know the rule works so you likely have something configured incorrectly. Did you set CUSTOM4_LOG to actually point to your servers access log? If so what did you set it to ?
13 posts Page 1 of 2