Hi,
This is for people with there own server running cpanel/apache. People using shared hosting, their provider will probably enable this if asked.
First make sure mod_security & mod_security2-mlogc are enabled, this can done via easy apache 4.
Install and enable OWASP ModSecurity Core Rule Set V3.0 rules under Select ModSecurity™ Vendors. ModSecurity™ Configuration:
- Audit Log Level
- Connections Engine set to Process the rules
- Rules Engine set to Process the rule
Install CMC:
https://www.configserver.com/cp/cmc.html
/etc/apache2/conf.d/modsec/modsec2.user.conf:
#Wordpress bruteforce SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134 <Locationmatch "/wp-login.php"> # Setup brute force detection. # React if block flag has been set. SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'" # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137" SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0" </locationmatch> #BadBots SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/modsec/badbotlist.txt" "id:980001,rev:1,severity:2,log,msg:'Bot Rule: Black Bot detected.'" #Prevent DDOS to xmlrpc.php (wordpress) with ModSecurity SecAction "phase:1,id:400000,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}" SecRule REQUEST_URI "/xmlrpc\.php" "id:400001,nolog,drop,chain,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=2/60,expirevar:ip.ddos=120" SecRule IP:DDOS "@gt 5" "nolog"
systemctl restart httpd
.htaccess (Shared hosting users can do this without contacting their hosting provider):
# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress # Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from your.public.i.p </Files> <files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files> <files wp-config.php> order allow,deny deny from all </files> <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # disable directory browsing Options All -Indexes
Thanks Tom
P.S Please feel free to comment.
Sources:
https://wpprofix.com/stopped-wordpress-brute-force-attacks-server/
https://www.hostinger.co.uk/tutorials/xmlrpc-wordpress
https://forums.cpanel.net/threads/wp-login-php-and-mod-security.430242/page-2
https://malware.expert/prevent-ddos-xmlrpc-php-wordpress-modsecurity/
https://www.cloudways.com/blog/protect-wordpress-with-htaccess/