WordPress brute force attacks have started cripling servers all over the internet. Our cloudlinux servers have managed to stay up which higher then normal cpu and ram usage. Other servers without cloudlinux haven’t faired so well. We started investigating these attacks on April 9th 2013, captured packets immediately to get the payload of these brute force attacks. We started implementing modsecurity2 rules to slowed the brute force attacks until they changed on April 12th 2013. This change was not 1 ip would try more then 1 time before it switched to another ip. Stopping this attack is near impossible with a unique payload string in the ip headers. This was finally found and implemented cluster wide. Below are the rules we have in place to limit the attack. We would recommend if you are not getting hit to implement these in some form.

 

On csf and apf firewalls add to the /etc/csf/csfpre.sh or /etc/apf/preroute.rules

#Attack on wordpress:

/sbin/iptables -I INPUT -p tcp –dport 80 -m string –string “Log+In&testcookie=1” –algo kmp -j DROP

 

Add this to your modsecurity2 rules:

<LocationMatch “/wp-login.php”>
SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371
SecAction “phase:5,deprecatevar:ip.counter=2/30,pass,nolog,id:313372”
SecRule IP:COUNTER “@gt 1” “phase:2,pause:300,deny,status:406,setenv:RATELIMITED,skip:1,nolog,id:313373”
SecAction “phase:2,pass,setvar:ip.counter=+1,nolog,id:313374”
</LocationMatch>

 

And if all else fails you can block all wp-login.php in the main apache config :

<Files wp-login.php>
order deny,allow
Deny from all
</Files>

or chmod 000 all wp-login.php files:

For clients wanting to secure their wordpress login edit your .htaccess in your ftp folder and add the below with the ipaddress that need to connect to your wordpress login:

<Files wp-login.php>
deny from all
allow from xxx.xxx.xxx.xxx
</Files>

#note this command is for Hsphere clusters change the path to where your web files are located.

find /hsphere/local/home -type f -name ‘wp-login.php’ -print0 | xargs -0 chmod 000

 

If you have any further questions please dont hestitate to contact us.