Protect WordPress from Brute force

About WordPress

WordPress is a complete blogging platform. It is made highly customizable and easy to develope the website. It is a popular publishing platform which is well known due to its robust features, numerous templates, and large support community. However, WordPress is also constantly subject to attempts at exploiting vulnerabilities. One of the important security measure is that keep your WordPress and any associated plugins are installed with current latest version.

Brute Force Attack

A common attack point on WordPress is Brute Force Attack to hammer the wp-login.php file, tries usernames and passwords over and over until they get in and gain access to the site. These attacks results in lack of memory in the server cause performance issues. The situation arises due to the number of http requests (that is the number of times someone visits your site) is so high which leads the server run out of memory.

Block Brute Force Attempts using ModSecurity

ModSecurity provides a significant amount of security by providing an application firewall. Modsec can be customised to filter incoming HTTP requests, which assists against brute forcing and consuming server resources. Using a little configuration of mod_security can easily block the brute force attempts using the free ConfigServer Firewall.

Make sure that mod_security is enabled in the server, otherwise run EasyApache again and enable apache mod_security module. You will also need install ConfigServer Firewall in the server.

Configure Mod Security to prevent Brute Force

Inorder to block excessive wp-login.php attempts, we need to configure custom Mod Security rules. You may either manually edit the user file via command line or use the built in editor inside WHM. To do it via command line interface, just edit the  /usr/local/apache/conf/modsec2.user.conf file. You can also use WHM go to Home > Plugins > Mod Security, this will show you the log for any blocks.  At the top you will see a button that says Edit Config, click that button and you will get a page where you can edit the same file as mentioned above.

You can use the custom rules giveb below.

SecUploadDir /tmp

SecTmpDir /tmp

SecDataDir /tmp 

SecRequestBodyAccess On

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134

<Locationmatch “/wp-login.php”>

  # Setup brute force detection.

  # React if block flag has been set.

  SecRule user:bf_block “@gt 0” “deny,status:401,log,id:5000135,msg:’ip address is blocked for 5 minutes, for more than 10 login attempts in 3 minute.'”

  # Setup Tracking. 

On a successful login, a 302 redirect is performed, a 200 indicates login failed.

  SecRule RESPONSE_STATUS “^302” “phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136”

  SecRule RESPONSE_STATUS “^200” “phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137”

  SecRule ip:bf_counter “@gt 10” “t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0”

</locationmatch>

ErrorDocument 401 default

Let us familiarize what all it is;

We are setting the SecUploadDir, SecTmpDir, and SecDataDir to /tmp. The “SecRequestBodyAccess on” means telling mod security to check the body of the HTTP transaction since most attempts to login are done via POST requests. This should always be set to On.

<Locationmatch “/wp-login.php”>

This is to determine if the person accessing /wp-login.php. This will match sub-directories, and nested directories as any way /wp-login.php will be in the URL.

SecRule user:bf_block “@gt 0” “deny,status:401,log,id:5000135,msg:’ip address blocked for 5 minutes, for more than 10 login attempts in 3 minute.'”

This will check and deny with status 401 and log to the mod security log with the message given above.

SecRule RESPONSE_STATUS “^302” “phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136”

This section will check if response status is 302, which is the status response for successful login, this will then set bf_counter to 0 as the user logged in, to make sure this is not a brute force attempt.

SecRule RESPONSE_STATUS “^200” “phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=1/180,id:5000137”

This will check if the response status is 200 that means there was a failed login attempt.  When this is detected, it will increase bf_counter to check how many failed login attempts there were. The value ip.bf_counter=1/180 means how many seconds you need to track the login attempts for.

SecRule ip:bf_counter “@gt 10” “t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0”

This will check the count of bf_counter for user’s IP, if it is greater than 10 (means more than 10 failed login attempts),  then block this user’s IP. The value user.bf_block=300 means how many seconds you want block the IP for. If you need to block for 10 minutes instead of 5 minutes, change the value to 600. The value “@gt 10” means failed logins before blocking the IP.

ErrorDocument 401 default

This will direct Apache to find any 401 errors.  If you did not have it in your .htaccess file, WordPress will handle the 401 error.

Enable Mod Security in ConfigServer Firewall

You will need to make sure that ConfigServer Firewall has enabled Mod Security.  To do that go to WHM >> ConfigServer Firewall >> Edit Configuration >> find LF_MODSEC. This should set to something other than 0.  Save configuration changes and restart LFD/CSF.