I have a small cPanel server running some Wordpress sites, today I’ve noticed there is an IP attempting to log in. I’ve done a quick block for the IP in ConfigServer Firewall, but I can still see login attempts. If I try to ping the ip, it’s actually being blocked, not sure why is not working the other way.
With a provider I have, after 5 failed attempts to log in, the wp-admin side gets blocked. How to do it? Where (CSF or ModSecurity).
Any idea how to stop it? For every wordpress installation, so no WP plugins should be used.
.htaccess password protect /wp-login.php
Just a simple login prompt over that file and your requests will stop. Much lighter weight than running a security plugin
Thank you. Options 1 and 2 look doable. Inmunify looks expensive but I’m going to test it.
@FHR @Harambe I prefer to not use more plugins or change something inside the single cPanel accounts.
I still don’t know why they are able to reach the server:
EDIT: CSF only sees Cloufdlare IP
@Francisco I’ll appreciate if you can share some tips here
I have a global rule that catches for requests to those pages and then injects my click-thru page in between.
Nothing stops you from just adding a
wordpress.conf file in /etc/apache2/conf.d/ that does some basic rewrites to catch the request and do whatever you want.
that’s why CSF blocking is not working, configure your web server properly so real ip is passed from CF to your web server’s logs
For my Centmin Mod LEMP stack wordpress auto installer, wp-login.php and xmlrpc.php files are automatically setup with rate limiting at nginx level IIRC it’s like 1 request every 3 seconds it works out to be.
Then if you combine with either fail2ban (for Centmin Mod Nginx) or CSF like fail2ban (for Centmin Mod Nginx) banning you can inspect nginx logs for nginx rate limit entries and ban at CSF Firewall level.
Of course this all only works if you fix your Cloudflare real IP pass through to your web server first so that web server log files see visitor’s real IP.
There’s also WP plugin for limiting logins failures too.