Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


What is the best way to fight with wp-login.php and xmlrpc.php attack?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

What is the best way to fight with wp-login.php and xmlrpc.php attack?

Hello,

What is the best way to fight with wp-login.php and xmlrpc.php attackon server CSF custom rules or mod_security or both? Is mod_security rules makes server slow or site loading slowly?
Share your experience.

Thanks,

«1

Comments

  • imokimok Member

    Asking the same thing.

    Thanked by 1bdwebservices
  • @imok said:
    Asking the same thing.

    I don't see how that would protect you.

  • What's the exact attack vector? If they hammer the URL, rate limit it on the web server.
    If it's bad login attempts, ban the IPs after a while.

    Thanked by 1mfs
  • h2oh2o Member

    mv wp-login.php wp-login1.php

    Thanked by 1PrestigeWS
  • jsgjsg Member, Resident Benchmarker

    I happen to (very unfortunately) run a wordpress site too. As I don't like or trust plugins I made my own solution. Wrt. xmlrpc I simply have the url handler/filter of my web server match /xmlrpc.php and return a 403. For me that works fine but some rather plugin heavy wp installations do need xmlrpc and can't use my simple solution.

  • Have you moved your login url?

    Thanked by 1mfs
  • imokimok Member
    edited August 2018

    @Shot2 said:

    @imok said:
    Asking the same thing.

    I don't see how that would protect you.

    At least I will have a clean login log. Also less resource usage, maybe?

  • jsgjsg Member, Resident Benchmarker

    @imok said:
    At least I will have a clean login log. Also less resource usage, maybe?

    Yes, the earlier you catch an illegitimate request the less costly it is in terms of resources. That's one major reason why you always want to have the web server catch crap because any php stuff (like wordpress) catching it is FAR more expensive.

  • rm -rf /wp

    Thanked by 1Shot2
  • redirect all to homepage except your static ip address to enter.

  • YuraYura Member

    @d2itsme said:
    redirect all to homepage except your static ip address to enter.

    Advantage over serving 403/404?

  • imokimok Member

    d2itsme said: redirect all to homepage except your static ip address to enter.

    Because everyone uses a static ip address.

  • Standard mod_sec, csf, plus Wordfence and be done with it.

    Thanked by 1bdwebservices
  • Fail2ban

  • deankdeank Member, Troll

    Success2ban

  • FoxelVoxFoxelVox Member
    edited August 2018

    I have a solution for you: dont use sh*tpress

    I mean, you could also get sucuri.net and setup access rules or a double password

  • @imok said:

    d2itsme said: redirect all to homepage except your static ip address to enter.

    Because everyone uses a static ip address.

    my ISP assigned me a /16 static ipv4 net for this use case, just ask them, if you say it's for wordpress they'll understand.

  • jsgjsg Member, Resident Benchmarker

    @d2itsme said:
    redirect all to homepage except your static ip address to enter.

    Sorry but not everyone has experience with 10.x.x.x based hosting.

    Your garment looks nice though. Well chosen, madame. If ever I need dressing advice I'll be sure to contact you.

  • htpasswd

    You are welcome

    Thanked by 1lemon
  • Suricata / Snort

  • Have them all attack bots index positive exploitation.

    $ cat wp-login.php
    <?php
    http_response_code(200);
    ?>
    

    or

    $ cat wp-login.php
    <?php
    echo("The kitty goes moo.");
    ?>
    

    This is gonna be fun.

    Thanked by 1mksh
  • deankdeank Member, Troll

    Replace and kitty part with the end is nigh and you are good to go.

  • mkshmksh Member
    edited August 2018

    The best option is probably:

    location /wp-login.php {
         return 444;
    }
    

    but if you feel the need to be funny you could also just return a random response code:

    • 100 Continue
    • 204 No Content
    • 208 Already Reported
    • 402 Payment Required
    • 406 Not Acceptable
    • 410 Gone
    • 412 Precondition Failed
    • 418 I'm a teapot
    • 421 Misdirected Request
    • 451 Unavailable For Legal Reasons
    • ...

    or hope the scanner is stupid and follows redirects:

    location /wp-login.php {
         return 301 http://ovh.net/files/10Gb.dat;
    }
    
  • jsgjsg Member, Resident Benchmarker

    @mksh said:
    ...

    > location /wp-login.php {
    >      return 301 http://ovh.net/files/10Gb.dat;
    > }
    > 

    Favourite!

    Thanked by 1Francisco
  • Change the Wp-login.php name could be a good trick. But what if they know your new wp-login file name. You can apply a customer pin code script using php that block bots dont allow even to bypass the login script.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    Janevski said: Have them all attack bots index positive exploitation.

    That still hits the CPU, although not by much.

    We use a middleman page for our wp-login.php calls and straight out block calls to xmlrpc.php. We just whitelisted the IP ranges we found for Jet and a few other remote services, but past that we get maybe a single request every couple months for someone needing it opened.

    Francisco

  • @mksh said:

    > location /wp-login.php {
    >      return 301 http://ovh.net/files/10Gb.dat;
    > }
    > 

    Don't forget to whitelist your own IP :p

    Thanked by 2Francisco eva2000
  • ehhthingehhthing Member
    edited August 2018
    > location /wp-login.php {
    >      return 301 http://ovh.net/files/10Gb.dat;
    > }
    > 

    Just host the files yourself! You wouldn't need a redirect then.

    One way would be making a dummy login page where you could enter any password and it will return a 200. Once the bot knows that a password is correct, it will likely alert the hacker. Once the hacker tries to login with this password, redirect them to

  • mkshmksh Member
    edited August 2018

    @ehhthing said:

    > > location /wp-login.php {
    > >      return 301 http://ovh.net/files/10Gb.dat;
    > > }
    > > 

    Just host the files yourself! You wouldn't need a redirect then.

    Of course you could do that but the main point here is to waste as little resources as possible. Sending a reply is already pushing it. Seriously, the best approach is 444 (aka just close the connection).

  • @h2o said:
    mv wp-login.php wp-login1.php

    I didn't do exactly that, but something similar. I also renamed /wp-content/ to something else. Bots move on if they can't see WP.

    Another thing I do (or did before), I block all login IPs for 24h that try to login with admin, admin1, root, adminuser etc.

Sign In or Register to comment.