Prevent wordpress Brute Force Attacks

romanepo

Active Member
Sep 24, 2013
25
0
1
cPanel Access Level
Root Administrator
How to i secure wordpress brute force attack. /usr/bin/php /home/.............../public_html/index.php

I installed modsecurity but use default rules ,it not working properly.
How can i secure this type of attack.
 

cPanelPeter

Technical Analyst III
Staff member
Sep 23, 2013
575
21
143
cPanel Access Level
Root Administrator
Twitter

rackaid

Well-Known Member
Jan 18, 2003
89
27
168
Jacksonville, FL
cPanel Access Level
DataCenter Provider
If you mean brute force attacks against usernames, one of the easiest methods is to use HTTP Auth on the login and /admin areas.

This is good if you have just a few authors/users. We've seen many problems prevented by blocking this type of attack. Also, limiting direct access to include areas helps as well.



Brute Force Attacks « WordPress Codex
 

romanepo

Active Member
Sep 24, 2013
25
0
1
cPanel Access Level
Root Administrator
Attacker attack all wordpress site.I want central solution, .htaccess script can single wordpress site solution.Are you know any modsecurity rules or anything prevent all wortpress site for Brute Force Attacks.
 

ChrisFirth

Active Member
PartnerNOC
Apr 10, 2008
35
0
56
cPanel Access Level
DataCenter Provider
I use this rule with mod sec:

Code:
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:4900000
<Locationmatch "/wp-login.php">
        SecRule user:bf_block "@gt 0" "deny,status:401,log,severity:'2',id:4900001,msg:'Wordpress Brute Force: IP blocked for 5 minutes, more than 15 login attempts in 3 minutes'"
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
        SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</Locationmatch>
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
That rule is very effective.

It can actually be condensed to one collection (initcol) instead of two, slightly more efficient resource wise:

Code:
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>
 

HSN-Saman

Member
Jan 11, 2013
16
0
1
cPanel Access Level
DataCenter Provider
Install mod_security as a WAF and get COMODO rules on it , and also password protect the wp-admin .
Try keeping the Wordpress update for the last security vulnerabilities .
 

rhenderson

Well-Known Member
Apr 21, 2005
785
2
168
Oklahoma
cPanel Access Level
Root Administrator
We have installed a plugin called Login Security Solutions as well to help and even with the Mod Security rule above, but in the end your best defense is in the wp-admin folder .htaccess file, now if we could just get all the website owners on board.
Code:
#AuthName "Admins Only"

# ALLOW USER BY IP
<Limit GET POST>
 order deny,allow
 deny from all
 allow from 1.2.3.4
 allow from 5.6.7.8
</Limit>

# PREVENT VIEWING OF .HTACCESS
<Files .htaccess>
 order allow,deny
 deny from all
</Files>
Of course change the above IP's to your own :) You can use 1.2.3.4/19 or whatever is appropriate for your IP blocks, with so many people with IP's even if we allow the entire ISP block for a provider it is better than letting the whole world have access to wp-admin.