Call: 02039165890 or WhatsApp

Blocking wp-login and xmlrpc Brute Force attacks with CSF / cPanel

From
Web Hosting and Domain Names

Our servers are subjected to brute force attacks daily. Since we do not host WordPress websites, we blocked any requests for the wp-login.php and xmlrpc.php. Here is a great way to block abusers with a CSF firewall...

First, create a custom log from which CSF can search for wp-login.php and xmlrpc.php requests.

Edit your /etc/csf/csf.conf like below (add this near the bottom of the file):

CUSTOM1_LOG = "/var/log/apache2/domlogs/*/*"

Then you must create custom functions for CSF so it will be able to block those attacks. Add this to your /usr/local/csf/bin/regex.custom.pm file. If it's not there, create one. Then add this (delete any rules you do not require):


# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /xmlrpc.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","1","80,443","1");
}

# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /wp-login.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","1","80,443","1");
}

# WP-ADMINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /wp-admins.php.*" /)) {
return ("WP ADMIN Attack",$1,"WPADMIN","1","80,443","1");
}

# WP-PLUGIN
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /wp-cl-plugin.php.*" /)) {
return ("WP wp-cl-plugin Attack",$1,"WPPLUGIN","1","80,443","1");
}

# wlwmanifest.xml
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /wlwmanifest.xml.*" /)) {
return ("WP wlwmanifest.xml Attack",$1,"MANIFEST","1","80,443","1");
}

# shell.php
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /shell.php.*" /)) {
return ("SHELL shell.php Attack",$1,"SHELL","1","80,443","1");
}

# xing.php
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /xing.php.*" /)) {
return ("XING xing.php Attack",$1,"XING","1","80,443","1");
}

Restart CSF and check if LFD is doing his new job. On success, you should see something like this:


May 10 11:33:16 cp lfd[589350]: (WPLOGIN) WP Login Attack 4.4.4.4 (VN/Vietnam/s1.hekkviet.net): 1 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
May 10 11:33:36 cp lfd[589587]: (WPLOGIN) WP Login Attack 5.5.5.5 (IN/India/5.5.5.5.linuxhosting.com): 1 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]

Any IPs in the CFS 'allow' list will show the following:


May 10 11:45:36 cp lfd[591718]: WP Login Attack 1.1.1.1 - ignored
May 10 11:45:41 cp lfd[591718]: WP Login Attack 2.2.2.2 - ignored

I hope this helps any system admin, and thank you to Igor Mazej for the tutorial.

Blog Categories

Popular Blog entries

Open Graph: How to Drive More Social Media Traffic to Your Website Social media networks can be a significant traffic driver to a website, so it is always in your best interest to optimise your presence on them by adding Open Graph tags to your pages. So what is Ope...

New website launch: FC Drainage The new website launched this weekend! www.fcdrainagesolutions.com - FC Drainage Solutions offer a 24h Emergency call-out service to resolve your drainage or plumbing drama day or night... But th...

Email spam filtering at DigitalFlare Our mail servers rely on a ' spam filter check ' to identify and filter out spam email messages for our clients. We run various criteria tests to determine an overall score for spam. The email is mark...

Professional Google Analytics 4 Migration Services Simplify your transition to Google Analytics 4 (GA4) with DigitalFlare's comprehensive migration services. Our team will handle data transfer, tag configuration, and event setup, empowering your websi...

Local-Visits Areas Covered Include: Ascot, Bracknell, Maidenhead, Eton, Uxbridge, Windsor, Amersham, Beaconsfield, Slough and Chesham