Our servers are subjected to brute force attacks daily. Since we do not host Wordpress websites we decided to simply block any requests for the wp-login.php and also xmlrpc.php. Here is a great way to block abusers with CSF firewall...

First, create a custom log from which CSF will be able to search for wp-login.php and xmlrpc.php requests.

Edit your /etc/csf/csf.conf like below (add this near the bottom of the file):

CUSTOM1_LOG = "/var/log/apache2/domlogs/*/*"

Then you must create custom functions for CSF so it will be able to block those attacks. Add this to your /usr/local/csf/bin/regex.custom.pm file. If it’s not there, create one. Then add this (delete any rules you do not require):

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /xmlrpc.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","1","80,443","1");

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /wp-login.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","1","80,443","1");

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /wp-admins.php.*" /)) {
return ("WP ADMIN Attack",$1,"WPADMIN","1","80,443","1");

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /wp-cl-plugin.php.*" /)) {
return ("WP wp-cl-plugin Attack",$1,"WPPLUGIN","1","80,443","1");

# wlwmanifest.xml
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /wlwmanifest.xml.*" /)) {
return ("WP wlwmanifest.xml Attack",$1,"MANIFEST","1","80,443","1");

# shell.php
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /shell.php.*" /)) {
return ("SHELL shell.php Attack",$1,"SHELL","1","80,443","1");

# xing.php
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /xing.php.*" /)) {
return ("XING xing.php Attack",$1,"XING","1","80,443","1");

Restart CSF and check if LFD is doing his new job. On success you should see something like this:

May 10 11:33:16 cp lfd[589350]: (WPLOGIN) WP Login Attack (VN/Vietnam/s1.hekkviet.net): 1 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
May 10 11:33:36 cp lfd[589587]: (WPLOGIN) WP Login Attack (IN/India/ 1 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]

Any IP's in the CFS 'allow' list will show the following:

May 10 11:45:36 cp lfd[591718]: WP Login Attack - ignored
May 10 11:45:41 cp lfd[591718]: WP Login Attack - ignored

I hope this helps any system admin and thank you to Igor Mazej for the tutorial.