Preventing wp-login.php attack on Wordpress

  • July 19, 2014
  • 0 Comments

These instructions are for a standard cPanel install but will work on any server with mod_security, it's just that the paths and file names might be different.


edit /usr/local/apache/conf/modsec2.user.conf and add:

Quote:

<LocationMatch "/wp-login.php">
SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371
SecAction "phase:5,deprecatevar:ip.counter=2/30,pass,nolog,id:313372"
SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:313373"
SecAction "phase:2,pass,setvar:ip.counter=+1,nolog,id:313374"
</LocationMatch>

Note: The above code will allow only 2 requests to wp-login.php within 30 seconds and then they are rate limited and no longer able to make any further requests. You can adjust the variables highlighted in red if you desire. I will probably change that threshold to 5/30 so it's not as aggressive and block legit users in the process.

edit /usr/local/apache/conf/modsec2.conf and add:

Quote:

SecDataDir /usr/local/apache/logs/modsec

Note: If you are using rules from GotRoot you will already have a SecDataDir setup and it's not necessary to create one. If you do not have a SecDataDir anywhere then add it and also create the directory, for example:

mkdir /usr/local/apache/logs/modsec
chown root:nobody /usr/local/apache/logs/modsec

Important Note:

Make sure you have a proper ErrorDocument 406 setup in the the Apache httpd.conf or mod_security config. For example:

ErrorDocument 406 "Not Acceptable" (on cpanel, you dont have to do this)

When a bot or a user tries to brute force wp-login.php they will receive a simple plain text page saying Not Acceptable instead of being redirected to a WordPress error page which will consume valuable CPU resources. This will help cut down on the load issues even further.


taken from: http://www.webhostingtalk.com/showpost.php?p=8639061&postcount=42


=======================================


Additional rules taken from: http://www.webhostingtalk.com/showpost.php?p=9180012&postcount=2

#Wordpress Brute Force detection
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
# Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

SecResponseBodyAccess on
<Locationmatch "/administrator/index.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000235,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
# Count brutes:
SecRule RESPONSE_BODY "Username and password do not match" "phase:4,t:none,nolog,chain,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000237"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

How helpful was this article to you?

Posting has been disabled.