Previously we talked about some ways like using IPTables with Fail2Ban, configuring Apache Mod Security and getting flooded on Nginx XML-RPC attacks with odd error which near difficult to detect. Bruteforce attacks & xmlrpc attacks are common. We have many ways to handle them. Here is an article on WordPress Brute force and Mod Security.
WordPress Brute Force And Mod Security
Login attacks on wp-login.php and xmlrpc.php are most common possibly closest to SSH brute force. It is suggested to consider using Mod Security along with WordPress plugins like IP Geo Block, Fail2Ban WordPress Plugin. Why? Because Mod Security will protect before the bad request hits PHP. If by chance fails, WordPress not going to respond to these known to be bad requests. Implementing mitigation rules is easy on Apache, thats one of the reason why we said that Apache is better than Nginx.
WordPress Brute Force And Mod Security Rules
We talked about configuring this file on Apache hardening guide :
---
1 | /etc/modsecurity/modsecurity.conf |
WordPress does have official doc :
1 | https://codex.wordpress.org/Brute_Force_Attacks#ModSecurity |
We can add rules on anywhere like .htaccess file, which was for old Mod Security :
1 2 3 4 5 6 | SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR} SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.'" SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180" SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0" |
Of course more difficult rules can be added for other sections of WordPress which are usually targeted. We can create whitelist, blacklist and make it more logical.
We are talking about mod_security2. We need another module named mod_unique_id :
1 | http://httpd.apache.org/docs/current/mod/mod_unique_id.html |
The way we described possibly activated that module, check by the method we described earlier. Please read Mod Security guide, because copy pasting make it so hard that normal function of WordPress get disturbed :
1 | https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual |
We will suggest to initially use IP Geo Block like plugin and Fail2Ban WordPress plugin to get an idea of which files of WordPress are at most target. Then use Mod Security to decrease load on PHP and WordPress.
Tagged With mod security