WordPress wp-login.php brute force attacks.
WordPress brute force attacks have started cripling servers all over the internet. Our cloudlinux servers have managed to stay up which higher then normal cpu and ram usage. Other servers without cloudlinux haven’t faired so well. We started investigating these attacks on April 9th 2013, captured packets immediately to get the payload of these brute force attacks. We started implementing modsecurity2 rules to slowed the brute force attacks until they changed on April 12th 2013. This change was not 1 ip would try more then 1 time before it switched to another ip. Stopping this attack is near impossible with a unique payload string in the ip headers. This was finally found and implemented cluster wide. Below are the rules we have in place to limit the attack. We would recommend if you are not getting hit to implement these in some form.
On csf and apf firewalls add to the /etc/csf/csfpre.sh or /etc/apf/preroute.rules
#Attack on wordpress:
/sbin/iptables -I INPUT -p tcp –dport 80 -m string –string “Log+In&testcookie=1” –algo kmp -j DROP
Add this to your modsecurity2 rules:
SecRule IP:COUNTER “@gt 1” “phase:2,pause:300,deny,status:406,setenv:RATELIMITED,skip:1,nolog,id:313373”
And if all else fails you can block all wp-login.php in the main apache config :
Deny from all
or chmod 000 all wp-login.php files:
For clients wanting to secure their wordpress login edit your .htaccess in your ftp folder and add the below with the ipaddress that need to connect to your wordpress login:
deny from all
allow from xxx.xxx.xxx.xxx
#note this command is for Hsphere clusters change the path to where your web files are located.
find /hsphere/local/home -type f -name ‘wp-login.php’ -print0 | xargs -0 chmod 000
If you have any further questions please dont hestitate to contact us.