New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What is the best way to fight with wp-login.php and xmlrpc.php attack?
bdwebservices
Member
in General
Hello,
What is the best way to fight with wp-login.php and xmlrpc.php attackon server CSF custom rules or mod_security or both? Is mod_security rules makes server slow or site loading slowly?
Share your experience.
Thanks,
Comments
Asking the same thing.
I don't see how that would protect you.
What's the exact attack vector? If they hammer the URL, rate limit it on the web server.
If it's bad login attempts, ban the IPs after a while.
mv wp-login.php wp-login1.php
I happen to (very unfortunately) run a wordpress site too. As I don't like or trust plugins I made my own solution. Wrt. xmlrpc I simply have the url handler/filter of my web server match /xmlrpc.php and return a 403. For me that works fine but some rather plugin heavy wp installations do need xmlrpc and can't use my simple solution.
Have you moved your login url?
At least I will have a clean login log. Also less resource usage, maybe?
Yes, the earlier you catch an illegitimate request the less costly it is in terms of resources. That's one major reason why you always want to have the web server catch crap because any php stuff (like wordpress) catching it is FAR more expensive.
rm -rf /wp
redirect all to homepage except your static ip address to enter.
Advantage over serving 403/404?
Because everyone uses a static ip address.
Standard mod_sec, csf, plus Wordfence and be done with it.
Fail2ban
Success2ban
I have a solution for you: dont use sh*tpress
I mean, you could also get sucuri.net and setup access rules or a double password
my ISP assigned me a /16 static ipv4 net for this use case, just ask them, if you say it's for wordpress they'll understand.
Sorry but not everyone has experience with 10.x.x.x based hosting.
Your garment looks nice though. Well chosen, madame. If ever I need dressing advice I'll be sure to contact you.
htpasswd
You are welcome
Suricata / Snort
Have them all attack bots index positive exploitation.
or
This is gonna be fun.
Replace and kitty part with the end is nigh and you are good to go.
The best option is probably:
but if you feel the need to be funny you could also just return a random response code:
or hope the scanner is stupid and follows redirects:
Favourite!
Change the Wp-login.php name could be a good trick. But what if they know your new wp-login file name. You can apply a customer pin code script using php that block bots dont allow even to bypass the login script.
That still hits the CPU, although not by much.
We use a middleman page for our wp-login.php calls and straight out block calls to
xmlrpc.php
. We just whitelisted the IP ranges we found for Jet and a few other remote services, but past that we get maybe a single request every couple months for someone needing it opened.Francisco
Don't forget to whitelist your own IP
Just host the files yourself! You wouldn't need a redirect then.
One way would be making a dummy login page where you could enter any password and it will return a 200. Once the bot knows that a password is correct, it will likely alert the hacker. Once the hacker tries to login with this password, redirect them to
Of course you could do that but the main point here is to waste as little resources as possible. Sending a reply is already pushing it. Seriously, the best approach is 444 (aka just close the connection).
I didn't do exactly that, but something similar. I also renamed /wp-content/ to something else. Bots move on if they can't see WP.
Another thing I do (or did before), I block all login IPs for 24h that try to login with admin, admin1, root, adminuser etc.