Any web hosting admin will tell you that a lot of server resources are wasted due to attacks on WordPress instances. A quick and effective solution is to create a custom CSF regex entry which monitors the domain logs and scans for xmlrpc and wp-login.php attacks.
Step 1
nano /etc/csf/csf.conf
Step 2
For cPanel change CUSTOM1_LOG to the following:
CUSTOM1_LOG = "/var/log/apache2/domlogs/*/*"
For DirectAdmin change CUSTOM1_LOG to the following:
CUSTOM1_LOG = "/var/log/httpd/domains/*"
Step 3
Edit the following file:
nano /usr/local/csf/bin/regex.custom.pm
Paste the following in the file above:
# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /xmlrpc.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","1");
}
# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "POST /wp-login.php.*" 200/)) {
return ("Failed WordPress login from",$1,"wordpress","5","80,443","1");
}
There are couple of things to note with the above config. The first thing is after what number of xmlrpc and wp-login.php attempts do we consider this an attack – in our case we consider 5 xmlrpc requests and 5 wp-login.php attempts as attacks. Take note of ports 80, 443 – we will monitor requests coming in on these ports. And finally "1" means that we want to block the violating IP permanently in CSF.
Now, restart CSF with the following:
service lfd restart