All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What blacklist you are utilizing to reduce wp-l0gin.php brut€force & other expl0iter b0ts?
Before around two weeks there was some botnet bruteforcing my wp-login.php and xmlrpc.php pages acros multiple domains on one apache web server.
It was many IP subnets, countries. I began manualy reporting the IPs on nice bl@cklist abuseipdb.com and also to myip.ms blacklist, but it was too many IPs so i stopped.
Usually i am blocking IPs using mod security (there is a rule for wp-l0gin.php brut€ f0rce) and config server firewall. I recommend this combo. But i am thinking if there is some good IP bl@cklist which i can populate automaticaly based on the apache access log or lfd.log? I mean something that i can both automatically contribute to and also use the IPs in my firewall ipset. I am looking for a free bl@cklist and it should be really acurate so i do not block valid visitors.
Also check this nice page: https://iplists.firehol.org
Comments
Disable xmlrpc and if you are the only wordpress user only allow your IP to access wp-login.php
Another solution is to rate limit the login attempts with plugins such as loginizer and/or add recaptcha to the login page
If the attacker has access to so many IPs, there is no point in reporting all of them in my opinion
Maybe use something like https://codecanyon.net/item/hide-my-wp-amazing-security-plugin-for-wordpress/4177158 ?
Mod security?
Wordfence
Whitelist your ip to webserver to access wp-login or wp-admin
I use the protection offered by LiteSpeed Web Server
Fail2ban can do the job. You can customize your rules so that they fit your needs.
Turn Wordpress into static site.
I'm using Bitninja.io for that purpose.
We simply do a challenge page for our shared users.
Francisco
Would you like to share (in general) how to do that?
WordFence can protect you very well against brute force attacks.
ModSecurity + fail2ban
May I ask how many suspicious IP addresses your Apache catches for a day?
There is no guarantee about this as valid visitors' computers could be part of botnets, too. And you have to decide how long a suspicious IP is staying in the blacklist.
Not using WordPress.
You just triggered a whole bunch of php coders. Well done!
Amazing that the admin path is still hard coded into wordpress, would have thought it would have been configurable by now.
Agree should be able to change default admin in WP but the default admin path is easy to honeypot and ban either temp or perm
Probably modsecurity rules.
WordFence is a great plugin.
Agree. It's been years after Wordpress being launched and yet it's still using wp-admin.
modsec fine, but why WordFence? Why handle something in PHP that should be handled at server level? It seems silly to waste PHP resources when you can easily fix it 1 or even 2 levels above.
Might want to keep an eye on this 5 unpatched vulnerabilities in ModSecurity OWASP CRS which can lead to DDOS attacks against web servers https://coreruleset.org/20190425/regular-expression-dos-weaknesses-in-crs/
Cloudflare?
Domain/wp-login I'm under attack
thx, good idea, do you know any free IP bl@cklists that work with fail2ban and are very accurate so i can block its ips in fir€wall?
yes, as 2 users said, i would like to know how to do it if i am not a developer, any tutorial?
maybe a hundred or couple of hundred blocked IPs per day? Server overloading is so far not a problem, my aim is to fight against these exploiters by contributing to some good free bl@cklist.
https://gist.github.com/Ne00n/80bdcb1fabff690404a1f1645041b615
Someone need to fork it and add more lists.
Couldnt you just configure rewrite rules or deny to that dir and reverse proxy it to something else? All of the major web servers have some ability to do this.