The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Prevent wordpress Brute Force Attacks

Discussion in 'Security' started by romanepo, Jan 30, 2014.

  1. romanepo

    romanepo Active Member

    Joined:
    Sep 24, 2013
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    How to i secure wordpress brute force attack. /usr/bin/php /home/.............../public_html/index.php

    I installed modsecurity but use default rules ,it not working properly.
    How can i secure this type of attack.
     
  2. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. rackaid

    rackaid Active Member

    Joined:
    Jan 18, 2003
    Messages:
    42
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Jacksonville, FL
    cPanel Access Level:
    DataCenter Provider
    If you mean brute force attacks against usernames, one of the easiest methods is to use HTTP Auth on the login and /admin areas.

    This is good if you have just a few authors/users. We've seen many problems prevented by blocking this type of attack. Also, limiting direct access to include areas helps as well.



    Brute Force Attacks « WordPress Codex
     
  4. romanepo

    romanepo Active Member

    Joined:
    Sep 24, 2013
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Attacker attack all wordpress site.I want central solution, .htaccess script can single wordpress site solution.Are you know any modsecurity rules or anything prevent all wortpress site for Brute Force Attacks.
     
  5. ChrisFirth

    ChrisFirth Active Member
    PartnerNOC

    Joined:
    Apr 10, 2008
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    I use this rule with mod sec:

    Code:
    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:4900000
    <Locationmatch "/wp-login.php">
            SecRule user:bf_block "@gt 0" "deny,status:401,log,severity:'2',id:4900001,msg:'Wordpress Brute Force: IP blocked for 5 minutes, more than 15 login attempts in 3 minutes'"
            SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
            SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
            SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
    </Locationmatch>
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    That rule is very effective.

    It can actually be condensed to one collection (initcol) instead of two, slightly more efficient resource wise:

    Code:
    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
    <Locationmatch "/wp-login.php">
    SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
    SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
    </locationmatch>
    
     
  7. Ryu27

    Ryu27 Registered

    Joined:
    Feb 5, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I have used BruteProtect and it has worked very well for me.:)
     
  8. HSN-Saman

    HSN-Saman Member

    Joined:
    Jan 11, 2013
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Install mod_security as a WAF and get COMODO rules on it , and also password protect the wp-admin .
    Try keeping the Wordpress update for the last security vulnerabilities .
     
  9. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    We have installed a plugin called Login Security Solutions as well to help and even with the Mod Security rule above, but in the end your best defense is in the wp-admin folder .htaccess file, now if we could just get all the website owners on board.
    Code:
    #AuthName "Admins Only"
    
    # ALLOW USER BY IP
    <Limit GET POST>
     order deny,allow
     deny from all
     allow from 1.2.3.4
     allow from 5.6.7.8
    </Limit>
    
    # PREVENT VIEWING OF .HTACCESS
    <Files .htaccess>
     order allow,deny
     deny from all
    </Files>
    
    Of course change the above IP's to your own :) You can use 1.2.3.4/19 or whatever is appropriate for your IP blocks, with so many people with IP's even if we allow the entire ISP block for a provider it is better than letting the whole world have access to wp-admin.
     
Loading...

Share This Page