Having a problem with wordpress brute force? Look here. - Webmaster Forums - Webmaster forum for HTML, PHP, ASP, CSS and more
Go Back   Webmaster Forums - Webmaster forum for HTML, PHP, ASP, CSS and more > Website Design and Development > Tutorials and Guides

WebmasterForums.com is the premier Forum on the internet. Registered Users do not see the above ads.
Reply
 
LinkBack Thread Tools Search this Thread Display Modes
Old 12-02-2014, 09:49 AM   #1 (permalink)
Regular User
 
Join Date: Feb 2011
Posts: 35
hostavps is on a distinguished road
Default Having a problem with wordpress brute force? Look here.

I dont know why hackers just started doing this but I have seen tons of wordpress and even joomla brute force attempts lately. The problem is with brute force on php/mysql sites is that it can exhaust your resources fairly quickly. Even being under attack by as little as 1-2 ips is enough to bring most servers load way high and slow things down.

The solution I have been using on LAMP servers is using mod_security with the comodo WAF ruleset and adding this extra rule as well as default config for expires and deflate in case users do not set this up theirself.


Code:
<IfModule mod_security2.c>
        # This has to be global, cannot exist within a directory or location clause . . .
        SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10011
        <Location /wp-login.php>
                # Setup brute force detection.

                # React if block flag has been set.
                SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"

                # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
                SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
                SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
                SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
       </location>
</IfModule>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript

DeflateCompressionLevel 9

# Browser specific settings
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
BrowserMatch \bOpera !no-gzip

# Setup custom deflate log
DeflateFilterNote Input instream
DeflateFilterNote Output outstream
DeflateFilterNote Ratio ratio

LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%)' deflate
# Example of log file
CustomLog logs/deflate_log DEFLATE
</IfModule>

Then set your CSF to block on 5-10 mod security failures. Do make sure you are not getting false positives on the other rules first. You must have each of these modules enabled to work. The deflate and expires is not that important as it is handled on user level but it can help with slowness on sites under stress.

Then on the wordpress level, install https://wordpress.org/plugins/bruteprotect/

I cannot attest to the plugin working as the same with other php based firewalls and security scripts, it still has to execute php in order to work so even if the attacker is getting the blocked page it produces it is still hitting php in most cases.
__________________
HostaVPS.com - Green Managed Hosting Solutions
hostavps is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



» Advertisement

» Advertisement

» Affiliates
Web Hosting
Online Backup Reviews
Marketing Find
Merchant Select
SiteMap Builder
Host Compare

» Advertisement

» Sports Network
Paintball Forum
Football Forum
Hockey Forum
Golf Forum
Boxing Forum
Lacrosse Forum
Baseball Forum
SnowBoarding Forum
Soccer Forum
MMA Forum


All times are GMT -4. The time now is 06:53 PM.


Powered by vBulletin® Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.6.1
User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Webmaster Forums
Web Hosting | Web Hosting