OK do I have a guy who is constantly trying to call up the wplogin script for every site on my server (even though I have no WP sites). I want to block/ban his IP by either black listing him in cPHulk or adding his IP to the deny list in csf. Is there any effective difference between the two that might make one method a better choice to accomplish the task at hand?
I'd block him in CSF, its pretty painless.
However, if you have no WP sites, i'm pretty sure that there's a custom regex on the CSF forum to automatically block anyone trying to open wplogin.php.
So even if he comes back with another IP, he will just end up blocking himself.
However, if you have no WP sites, i'm pretty sure that there's a custom regex on the CSF forum to automatically block anyone trying to open wplogin.php.
So even if he comes back with another IP, he will just end up blocking himself.
Hello @PCZero,
If the wp-login.php file was the target of the attack, see the following thread for potential solutions:
Use modsecurity / CSF to block all common cms logins?
Thank you.
If the wp-login.php file was the target of the attack, see the following thread for potential solutions:
Use modsecurity / CSF to block all common cms logins?
Thank you.
Michael, can you look at this page please and tell me is it is legit and will work to block IPs of wp-login attacks?
BTW, my name is David in case you were interested!
BTW, my name is David in case you were interested!
Hello David,
It looks like the page or link you are referencing was not included in your post. Can you respond with the link to the page you'd like me to review?
Thanks!
It looks like the page or link you are referencing was not included in your post. Can you respond with the link to the page you'd like me to review?
Thanks!
Hello David,
The instructions on that page appear to remain applicable, however the discussion on the following threads includes more recent tests from other cPanel & WHM users specific to the wp-login.php attacks:
wp-login.php and mod security
Block WordPress wp-login.php attempts with CSF?
There's a CSF forums thread you may find helpful as well:
Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum
Note: I removed the link you added because third-party URLs can sometimes stop working over time.
Thank you.
The instructions on that page appear to remain applicable, however the discussion on the following threads includes more recent tests from other cPanel & WHM users specific to the wp-login.php attacks:
wp-login.php and mod security
Block WordPress wp-login.php attempts with CSF?
There's a CSF forums thread you may find helpful as well:
Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum
Note: I removed the link you added because third-party URLs can sometimes stop working over time.
Thank you.
Thanks Michael. I'll look at the page you mention. Some of the pages I looked were really difficult for me to read and follow. With my dyslexia (or as I like to call it - lysdexia) I need a really dumbed down step-by-step guide when venturing into areas such as this. After I get a chance later today to go over the page you posted, I'll get back with you if I need help navigating the process if that is good with you. Again I appreciate the help.
Hello David,
Of course! Let me know if you have any questions or need advice with any of the instructions on those threads. We're here to help.
Thank you.
Of course! Let me know if you have any questions or need advice with any of the instructions on those threads. We're here to help.
Thank you.
Try this, I think it should work. (Taken from the CSF forum and made easier to understand)
It triggers on "3" hits of GET or POST of /xmlrpc.php or /wp-login.php by using the default interval settings of csf.conf (3600).
It bans the IP permanently "1" (it requires LF_TRIGGER disabled in csf.conf or else it ignores the value and uses the default temporary block time 3600)
Code:
In /etc/csf/csf.conf at about line 2600 add:
CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"
In /usr/local/csf/bin/regex.custom.pm add:
# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("xmlrpc log in attempt",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1");
}
# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("wordpress log in attempt",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
}It triggers on "3" hits of GET or POST of /xmlrpc.php or /wp-login.php by using the default interval settings of csf.conf (3600).
It bans the IP permanently "1" (it requires LF_TRIGGER disabled in csf.conf or else it ignores the value and uses the default temporary block time 3600)
Hey Michael, I am working on the wp-login block now and nee to make sure I am doing this correctly.
Going off of the 4th post in the thread at Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum it loks liek I need to do two things.
#1 in /etc/csf edit the regex.cutstom.pm file and add this...
# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("your ban comment",$1,"WPLOGIN","3","80,443,21,25,22,23","1");
}
#2 edit /etc/csf/csf.conf
edit CUSTOM2-LOG as follows
CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"
Is that the long and short of what i need to do to auto ban wp-login attempts?
Going off of the 4th post in the thread at Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum it loks liek I need to do two things.
#1 in /etc/csf edit the regex.cutstom.pm file and add this...
# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("your ban comment",$1,"WPLOGIN","3","80,443,21,25,22,23","1");
}
#2 edit /etc/csf/csf.conf
edit CUSTOM2-LOG as follows
CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"
Is that the long and short of what i need to do to auto ban wp-login attempts?
ketqa63 thank you. I needed exactly that, the "I am a dummy" version of the code. I did as you said and testd it using my phone. Sure enough this is now in teh cfs black list...
##.##.##.## # lfd: (WPLOGINorWHATEVER) wordpress log in attempt 172.58.xxx.xxx (US/United States/-): 3 in the last 3600 secs - Wed Jul 3 18:53:36 2019
Thanks to both you and Michael for helping me out. reading a lengthy thread with lots of code snippets can be difficult for me with my reading disability. The time you guys take to help me helps me a whole lot and i appreciate it very much.
##.##.##.## # lfd: (WPLOGINorWHATEVER) wordpress log in attempt 172.58.xxx.xxx (US/United States/-): 3 in the last 3600 secs - Wed Jul 3 18:53:36 2019
Thanks to both you and Michael for helping me out. reading a lengthy thread with lots of code snippets can be difficult for me with my reading disability. The time you guys take to help me helps me a whole lot and i appreciate it very much.
Last edited by a moderator:
