Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

What is the best way to fight with wp-login.php and xmlrpc.php attack?

What is the best way to fight with wp-login.php and xmlrpc.php attack?

Hello,

What is the best way to fight with wp-login.php and xmlrpc.php attackon server CSF custom rules or mod_security or both? Is mod_security rules makes server slow or site loading slowly? Share your experience.

Thanks,

Comments

  • imokimok Member

    Asking the same thing.

    Janitor @ Netflix

    Thanked by 1bdwebservices
  • Shot2Shot2 Member

    @imok said: Asking the same thing.

    I don't see how that would protect you.

    Providing less than /64 means "we are clueless about IPv6".

  • What's the exact attack vector? If they hammer the URL, rate limit it on the web server. If it's bad login attempts, ban the IPs after a while.

    Thanked by 1mfs
  • h2oh2o Member

    mv wp-login.php wp-login1.php

    Thanked by 1PrestigeWS
  • jsgjsg Member

    I happen to (very unfortunately) run a wordpress site too. As I don't like or trust plugins I made my own solution. Wrt. xmlrpc I simply have the url handler/filter of my web server match /xmlrpc.php and return a 403. For me that works fine but some rather plugin heavy wp installations do need xmlrpc and can't use my simple solution.

  • Have you moved your login url?

    Thanked by 1mfs
  • imokimok Member
    edited August 10

    @Shot2 said:

    @imok said: Asking the same thing.

    I don't see how that would protect you.

    At least I will have a clean login log. Also less resource usage, maybe?

    Janitor @ Netflix

  • jsgjsg Member

    @imok said: At least I will have a clean login log. Also less resource usage, maybe?

    Yes, the earlier you catch an illegitimate request the less costly it is in terms of resources. That's one major reason why you always want to have the web server catch crap because any php stuff (like wordpress) catching it is FAR more expensive.

  • rm -rf /wp

    Do you have a mail in a box?

    Thanked by 1Shot2
  • redirect all to homepage except your static ip address to enter.

    Hey, I am your potential buyer.

    show me your best offer

    or in the #wanderlust thing

  • YuraYura Member

    @d2itsme said: redirect all to homepage except your static ip address to enter.

    Advantage over serving 403/404?

  • imokimok Member

    d2itsme said: redirect all to homepage except your static ip address to enter.

    Because everyone uses a static ip address.

    Janitor @ Netflix

  • Standard mod_sec, csf, plus Wordfence and be done with it.

    Thanked by 1bdwebservices
  • Fail2ban

  • deankdeank Member

    Success2ban

    Morningwoodhosting. Somebody get it now.

  • FoxelVoxFoxelVox Member
    edited August 10

    I have a solution for you: dont use sh*tpress

    I mean, you could also get sucuri.net and setup access rules or a double password

  • lemonlemon Member

    @imok said:

    d2itsme said: redirect all to homepage except your static ip address to enter.

    Because everyone uses a static ip address.

    my ISP assigned me a /16 static ipv4 net for this use case, just ask them, if you say it's for wordpress they'll understand.

    There are lots of Linux users who don't care how the kernel works, but only want to use it. That is a tribute to how good Linux is.

  • jsgjsg Member

    @d2itsme said: redirect all to homepage except your static ip address to enter.

    Sorry but not everyone has experience with 10.x.x.x based hosting.

    Your garment looks nice though. Well chosen, madame. If ever I need dressing advice I'll be sure to contact you.

  • quickquick Member

    htpasswd

    You are welcome

    Thanked by 1lemon
  • NomadNomad Member

    Suricata / Snort

    NameSilo.com coupons: CheapDoms or Discounted
    - Send Everything My Way

  • Have them all attack bots index positive exploitation.

    $ cat wp-login.php
    <?php
    http_response_code(200);
    ?>
    

    or

    $ cat wp-login.php
    <?php
    echo("The kitty goes moo.");
    ?>
    

    This is gonna be fun.

    Thanked by 1mksh
  • deankdeank Member

    Replace and kitty part with the end is nigh and you are good to go.

    Morningwoodhosting. Somebody get it now.

  • mkshmksh Member
    edited August 10

    The best option is probably:

    location /wp-login.php {
         return 444;
    }
    

    but if you feel the need to be funny you could also just return a random response code:

    • 100 Continue
    • 204 No Content
    • 208 Already Reported
    • 402 Payment Required
    • 406 Not Acceptable
    • 410 Gone
    • 412 Precondition Failed
    • 418 I'm a teapot
    • 421 Misdirected Request
    • 451 Unavailable For Legal Reasons
    • ...

    or hope the scanner is stupid and follows redirects:

    location /wp-login.php {
         return 301 http://ovh.net/files/10Gb.dat;
    }
    
  • jsgjsg Member

    @mksh said: ...

    > location /wp-login.php {
    >      return 301 http://ovh.net/files/10Gb.dat;
    > }
    > 

    Favourite!

    Thanked by 1Francisco
  • AlphaNinevps_comAlphaNinevps_com Member, Provider

    Change the Wp-login.php name could be a good trick. But what if they know your new wp-login file name. You can apply a customer pin code script using php that block bots dont allow even to bypass the login script.

  • FranciscoFrancisco Top Provider

    Janevski said: Have them all attack bots index positive exploitation.

    That still hits the CPU, although not by much.

    We use a middleman page for our wp-login.php calls and straight out block calls to xmlrpc.php. We just whitelisted the IP ranges we found for Jet and a few other remote services, but past that we get maybe a single request every couple months for someone needing it opened.

    Francisco

    BuyVM - Dedicated KVM Slices / Anycast Support! / Stallion Control Panel / Windows 2008, 2012, & 2016! / Unmetered Bandwidth!
    BuyShared - Shared & Reseller Hosting / cPanel + Softaculous + CloudLinux / Pure SSD! / Free Dedicated IP Address
  • RaymiiRaymii Member

    @mksh said:

    > location /wp-login.php {
    >      return 301 http://ovh.net/files/10Gb.dat;
    > }
    > 

    Don't forget to whitelist your own IP :p

    Quis custodiet ipsos custodes?
    https://raymii.org - https://cipherli.st
    Thanked by 2Francisco eva2000
  • ehhthingehhthing Member
    edited August 12
    > location /wp-login.php {
    >      return 301 http://ovh.net/files/10Gb.dat;
    > }
    > 

    Just host the files yourself! You wouldn't need a redirect then.

    One way would be making a dummy login page where you could enter any password and it will return a 200. Once the bot knows that a password is correct, it will likely alert the hacker. Once the hacker tries to login with this password, redirect them to

  • mkshmksh Member
    edited August 12

    @ehhthing said:

    > > location /wp-login.php {
    > >      return 301 http://ovh.net/files/10Gb.dat;
    > > }
    > > 

    Just host the files yourself! You wouldn't need a redirect then.

    Of course you could do that but the main point here is to waste as little resources as possible. Sending a reply is already pushing it. Seriously, the best approach is 444 (aka just close the connection).

  • @h2o said: mv wp-login.php wp-login1.php

    I didn't do exactly that, but something similar. I also renamed /wp-content/ to something else. Bots move on if they can't see WP.

    Another thing I do (or did before), I block all login IPs for 24h that try to login with admin, admin1, root, adminuser etc.

  • Which one answer this question better? LET or WHT?

  • @ErawanArifNugroho said: Which one answer this question better? LET or WHT?

    WHT :)

  • Give Wordpress its own folder (use method 2): https://codex.wordpress.org/Giving_WordPress_Its_Own_Directory

    Set whatever security you want to use to block direct access to wp-login/xmlrpc.php

  • jsgjsg Member

    @LeonDynamic said: Set whatever security you want to use to block direct access to wp-login/xmlrpc.php

    Well it just so happens that THAT was the question. Plus I'm not really sure that changing from root directory to some other directory really hides the path because there are plenty site links in index.php.

  • WAF

    You can use Cloudflare as cheapest or try other combinations.

    signature for rent - ^_^

  • Right now I used both mod_security+CSF custom rules and it is working great. Seems mod_security rules working better than CSF rule but it is making slow load (maybe) and creating lot of access_logs, error_logs etc.

Sign In or Register to comment.