Linux SysAdmin & DevOps

Wordpress brute force protection

Wordpress is one of the most use CMS platforms for blogs and websites. It’s fast, highly customizable and pretty easy to use. You can use it for your personal blog, you can build a personal or business website, an online store and basically, it can be used to build any type of website.

The most common problem are the wordpress bruteforce attacks. Scripts or bots that are trying to guess your admin password or try to inject malitious php codes into your scripts in order to send spam or upload scam or phishing websites into your hosting account.

Fortunately, there is mod_security (a security module for the apache webserver) and CSF Firewall (a highly customizable firewall, writtern in perl and based on iptables rules).

In order to prevent and automatically block wordpress bruteforce attacks you have to do some customizations to your mod_security rules.

Assuming you already have a running apache webserver and some sites built on wordpress, and also you have installed both mod_security (standard package on cPanel servers) and CSF Firewall, here it is what you should do:

Wordpress bruteforce mod_security protection

Open your modsec.conf file and add the following:

SecUploadDir /tmp 
SecTmpDir /tmp 
SecDataDir /tmp 
SecRequestBodyAccess On 
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134 
<Locationmatch "/wp-login.php"> 
# Setup brute force detection. 
# React if block flag has been set. 
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 15 minutes, more than 10 login attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. 
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=900,setvar:ip.bf_counter=0"
ErrorDocument 401 default 
# xmlrpc.php 
SecRule REQUEST_FILENAME "^/xmlrpc.php" "deny,log,auditlog,status:403,msg:'xmlrpc TOM FOOLERY',id:'1337',severity:'2'" 
SecRule REQUEST_URI "xmlrpc*" "deny,log,auditlog,status:403,msg:'xmlrpc TOM FOOLERY',id:'1338',severity:'2'"

Save the file and restart your webserver:

/etc/init.d/httpd restart
systemctl restart httpd

Wordpress bruteforce protection with CSF firewall

Open csf.configuration file /etc/csf/csf.conf and set the following values:

LF_MODSEC = "25"

Save the file and restart csf:

csf -ra

Now when any of the rules above are trigged for more than 25 times, the CSF Firewall will permanetly block the ip address (the source of the attack).

I will not explain in this article what every rule does and so on. It’s just a basic example which offers and extra layer of protection for your wordpress website.