Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

filtering the error_log for wordpress login faiures

Discussion in 'General Discussion' started by craigedmonds, Oct 17, 2013.

  1. craigedmonds

    craigedmonds Well-Known Member

    Oct 29, 2007
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    I get ALOT of notifications like this in my /usr/local/apache/logs/error_log.

    [Thu Oct 17 09:04:37 2013] [error] [client] ModSecurity:  [file "/usr/local/apache/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg " WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname ""] [uri "/wp-login.php"] [unique_id "Ul@aFW1Lp9kAABxrMboAAAAT"]
    Is there a way for me to parse my apache log file which detects a wordpress login failure and produces a list of domain names that have been attacked? It would be brilliant if I could get the username of the site that has been attacked because these attacks could also be on add on domains etc.

    Perhaps some kind of ssh command or bash script I can run in SSH?

    The idea would be to apply some brute force prevention on accounts that are being attacked..
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can find a list of access attempts blocked by Mod_Security at:

    "WHM Home » Plugins » Mod_Security"

    You can also find entries in:


    Or, if you only are seeking to obtain a list of the "hostname" entry in your Apache error log, you could develop a bash script that parses the domain name from those lines. The username of the account could then be obtained by comparing it to the /etc/userdomains file, or utilizing the /scripts/whoowns command.

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice