All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What do you people do to deal with Wordpress bruteforce attacks
Hi
I have hard time dealing with a small server running csf to deal with bruteforce attack on wp installation. This server has only 20 wordpress install and have set CSF to block xmlrpc.php request and also set it to block anyone making more than 10 login request on wp-login.php. But still problem is that 100s of IPs attack all those installation on server and server starts crawling. There is also comodo WAF configured.
I can not change anything on these wp install, I am not allowed to change actually. Or else could have installed captcha or change wp-login url.
Server is very much good for regular and organic traffic but those bots with 1000s connections from 100s of IP addresses is making it unusable.
Now what method I should use to deal with it, get better hardware and handle traffic which will never pay for it or something better can be done on server side ?
Comments
Cloudflare free and turn on anti-bots feature.
Also combine with Wordfence free and configure it properly (low resources settings + tweak brute force protection. Install the extended firewall it has for more effectiveness).
Another method to consider, very easy to do is to htaccess password protect the login page of wordpress.
I have to do it at server level, can't touch any account or their setup, that include CF too. Have mentioned that already sir.
Add a Nginx rule for the login page to only allow a few IP's.
Use a WordPress plugin to use another URL for login and hide wp-login.php and block all requests to wp-login.php.
@Anayx you can setup htaccess password for the WP login page from the server side. However if you can't do that because you don't want the user to be aware, then litespeed web server with captcha? But it will cost.
https://docs.litespeedtech.com/lsws/cp/cpanel/wp-protect/
Just to be clear if the user don't want you to tweak or improve... then is not your problem. If their website is receiving like a thousand bot request, is their issue. You as the provider should have CloudLinux in place limiting the resources so that your other customers don't get affected by that one customer.
Just rate limit the wp-login and xmlrpc.php.
Nginx have the limit_req module that rejects multiple requests made by a particular ip.
`http {
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
}`
Use Wordfence plugin & also change default login page to something else
I am using WordFence and CleanTalk. All the attacks are filtered + no Spam for a couple of years.
Well, you will need access to the server as well as set up cdn to be able to protect the site from brute-force attacks though.
Since you can only make server-level changes, as some have recommended above, rate-limiting would definitely help.
If you control DNS, Cloudflare would also be a big help.
Another useful tool would be Crowdsec. The PHP bouncer, or NGINX bouncer would work well.
You could also leverage blocklists with CSF - FireHOL is a great resource (the sidebar on the left has all the different lists).
Is there a pattern to the attacks? Are they all coming from a particular ASN/ISP/Country?
For buyshared I built a 'click through' page that does a cookie check.
Francisco
I would also recommend implementing some of the things mentioned in this article through your server config since you can't change functions.php. I was wondering how people were finding my admin usernames and realized that the API was exposing them.
I uses Cloudflare Zero Trust to protect this page. Though I have to login twice (I don't know how to make auto login plugins), that may be safer.
The easiest way is to set whitelist IP for
wp-login.php
andwp-admin
folder, etc.Thanks everyone for suggestions. I had considered almost all the suggestion in this discussion prior to asking here but main problem is I can't touch those installation, can't whitelist IPs. Most of the suggestions here are about directly dealing with those domains or installation but that is not a choice here.
Most practical solution would be implementing some sort of server wide captcha for wp-login.php page. That should be again without touching the WP installations.
I found applying things like htpassword/ password protect directory really stops most of this, yes its a little more annoying at login time but worked for me on WordPress,WHMCS ect
nothing comes close to getting bigger guns. upgrade to massive VPS or dedi.
Mostly the burteforce comes to two files wp-login.php and xmlrpc.php
I fixed it by adding custom CSF rules so that when those files are attacked the IP of the attacker will be blacklisted, it works will so far.
XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).] "\w(?:GET|POST) \/xmlrpc.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","1");
}
WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).] "\w(?:GET|POST) \/wp-login.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","5","80,443","1");
}
Source
"I can't make any changes, please help me fix this"
The solution is pretty obvious: if your client doesn't want you to touch anything then don't. Let their website be slow and irresponsive, it's not your fault that they won't let you fix it.
Exactly this ☝️
Try to lower the connection to 5 instead of 10.
First tell you client to upgrade, then later tell them about the attack lol. That should teach them.
Yeah, maybe just move their stuff into a container and set very aggressive CPU and bandwidth resource limits on it so any attacks don't impact anything else.
surprised no one mentined fail2ban
I have mentioned CSF in my comment and they are both using linux iptables but for me CSF is easier to use with simple GUI
That’s probably cos OP is already using CSF
I've never installed a single hardening plugin, just kept minimal plugins & kept my site up to date. Never any issues in 4 years and 100,000's of visits.
What about using cPguard on the server, it shows a capture page to ‘bots’ etc it also blocks known bad IP’s?
Immunity360 is another.