Block WordPress Login and XMLRPC attacks for cPanel and DirectAdmin using CSF

Any web hosting admin will tell you that a lot of server resources are wasted due to attacks on WordPress instances. A quick and effective solution is to create a custom CSF regex entry which monitors the domain logs and scans for xmlrpc and wp-login.php attacks.

Step 1

nano /etc/csf/csf.conf

Step 2

For cPanel change CUSTOM1_LOG to the following:

CUSTOM1_LOG = "/var/log/apache2/domlogs/*/*"

For DirectAdmin change CUSTOM1_LOG to the following:

CUSTOM1_LOG = "/var/log/httpd/domains/*"

Step 3

Edit the following file:

nano /usr/local/csf/bin/

Paste the following in the file above:

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /xmlrpc.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","1");

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "POST /wp-login.php.*" 200/)) {
return ("Failed WordPress login from",$1,"wordpress","5","80,443","1");

There are couple of things to note with the above config. The first thing is after what number of xmlrpc and wp-login.php attempts do we consider this an attack – in our case we consider 5 xmlrpc requests and 5 wp-login.php attempts as attacks. Take note of ports 80, 443 – we will monitor requests coming in on these ports. And finally "1" means that we want to block the violating IP permanently in CSF.

Now, restart CSF with the following:

service lfd restart