<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <title>Blocking wp-login.php and xmlrpc.php Brute Force attacks with cPanel and CFS - Blog - Professional Website Design, Graphic Design &amp; Print</title> <base href="https://www.digitalflare.co.uk/" /> <!-- Google tag (gtag.js) --> <script async src="https://www.googletagmanager.com/gtag/js?id=G-Y4QWG6HDGH"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-Y4QWG6HDGH'); </script> <meta name="google-site-verification" content="lNpDtBVg7ED7n4j6odnTcZOADLKWUXkPqaGbw4hP27k" /> <meta name="description" content="" /> <meta name="keywords" content="" /> <link rel="stylesheet" type="text/css" href="css/reset.css" /> <link rel="stylesheet" type="text/css" href="css/generic.css" /> <link rel="stylesheet" type="text/css" href="css/font-awesome-4.7.0/css/font-awesome.min.css" /> <meta name="viewport" content="width=device-width,user-scalable=yes,initial-scale=1.0" /> <link rel="stylesheet" media="screen and (max-width: 668px)" href="css/mobile.css" /> <link href="https://fonts.googleapis.com/css?family=Open+Sans:400,300,300italic,600,700" rel="stylesheet" type="text/css" /> <link href="https://fonts.googleapis.com/css?family=Archivo+Narrow:400,700" rel="stylesheet" /> <script src="js/jquery.js"></script> <link rel="stylesheet" href="js/owl-carousel/owl.carousel.css" /> <link rel="stylesheet" href="js/owl-carousel/owl.theme.css" /> <link rel="stylesheet" href="js/owl-carousel/owl.transitions.css" /> <script src="js/owl-carousel/owl.carousel.js"></script> <script src="js/default.js"></script> <script src="js/cycle.js"></script> <!-- parallax --> <script src="js/parallax.js"></script> <!-- parallax ends --> <script src="js/fitvid.js"></script> <script src="js/jquery.scrollTo.min.js"></script> <meta name="SKYPE_TOOLBAR" content="SKYPE_TOOLBAR_PARSER_COMPATIBLE" /> <link rel="apple-touch-icon" href="img/icons/apple-touch-icon-iphone.png" /> <link rel="apple-touch-icon" sizes="72x72" href="img/icons/apple-touch-icon-ipad.png" /> <link rel="apple-touch-icon" sizes="114x114" href="img/icons/apple-touch-icon-iphone4.png" /> <link rel="apple-touch-icon" sizes="144x144" href="img/icons/apple-touch-icon-ipad3.png" /> <link rel="shortcut icon" href="img/icons/favicon.ico" /> <script id="cookieWarn" src="js/eu_cookie_banner.js"></script> </head> <body itemscope itemtype="http://schema.org/WebPage"> <div id="outer_container"> <div id="top_wrapper"> <a id="mobile_menu" href="javascript:void(0);"><i class="fa fa-bars" aria-hidden="true"></i></a> <div class="page_width clear"> <div id="top_left"> <a href="index.php"><img src="img/logos/digitalflare_logo.png" alt="DigitalFlare " /></a> </div> <div id="top_right"> <ul><li><a href="https://www.facebook.com/pages/DigitalFlare-Ltd/170942549610202" target="_blank"><i class="fa fa-facebook-square" aria-hidden="true"></i></a></li><li><a href="https://twitter.com/digitalflare" target="_blank"><i class="fa fa-twitter-square" aria-hidden="true"></i></a></li><li><a href="https://plus.google.com/+DavidFerdinando" target="_blank"><i class="fa fa-google-plus-square" aria-hidden="true"></i></a></li><li><a href="https://www.instagram.com/digitalflareuk/" target="_blank"><i class="fa fa-instagram" aria-hidden="true"></i></a></li><li><a href="https://www.youtube.com/channel/UCXIwTAAOLEFMJGiT64ZWqag" target="_blank"><i class="fa fa-youtube-square" aria-hidden="true"></i></a></li><li><a href="contact.php"><i class="fa fa-phone-square" aria-hidden="true"></i></a></li><li><a rel="nofollow noindex" href="https://api.whatsapp.com/send?phone=447974374742"<i class="fa fa-whatsapp" aria-hidden="true"></i></a></li> </ul> <span class="tr_call">Call: <a style="color: #fff;" rel="nofollow noindex" href="tel:02039165890">02039165890</a> or <a style="color: #fff;" rel="nofollow noindex" href="https://api.whatsapp.com/send?phone=447974374742">WhatsApp</a></span> </div> </div> </div> <div class="nav_wrapper"> <div class="page_width"> <div id="menu_wrapper"> <a href="javascript:void(0);" class="close_mobile_menu"><i class="fa fa-times" aria-hidden="true"></i></a> <div id="menu_inner"> <ul class="clear cfont"> <li><a href="index.php">Home<span>Go home</span></a></li> <li><a href="about.php">About Us<span>Digital who?</span></a></li> <li><a href="services.php">Services<span>What we do</span></a></li> <li><a href="hosting.php">Hosting<span>Web hosting &amp; SSL</span></a></li> <li><a href="portfolio.php">Portfolio<span>View our projects</span></a></li> <li><a href="portfolio/Photography-Portfolio.html">Photography<span>Studio photography</span></a></li> <li><a href="portfolio/Print-Work-Portfolio.html">Print &amp; Magazines<span>Print &amp; design services</span></a></li> <li><a class="on" href="blog.php">Blog<span>News &amp; Features</span></a></li> <li><a href="contact.php">Contact<span>Say hello!</span></a></li> </ul> </div> </div> </div> </div> <div id="page_wrapper"> <!-- page header --> <div id="page_header"> <div class="page_width"> <h1>Blocking wp-login and xmlrpc Brute Force attacks with CSF / cPanel</h1> </div> </div> <!-- end page header --> <div class="top_spacing page_width clear"> <div class="clear"> <div id="blog_left"> <div class="blog_header"> <ul class="blog_cat_list clear"> <li>From</li> <li><a href="blog.php?category=14">Web Hosting and Domain Names</a></li> </ul> </div> <div id="blog_content" class="cms"> <p>Our servers are subjected to brute force attacks daily. Since we do not host WordPress websites, we blocked any requests for the wp-login.php and xmlrpc.php. Here is a great way to block abusers with a CSF firewall...</p> <p>First, create a custom log from which CSF can search for wp-login.php and xmlrpc.php requests.</p> <p>Edit your <strong>/etc/csf/csf.conf</strong> like below (add this near the bottom of the file):</p> <pre><code>CUSTOM1_LOG = "/var/log/apache2/domlogs/*/*"</code></pre> <p>Then you must create custom functions for CSF so it will be able to block those attacks. Add this to your <strong>/usr/local/csf/bin/regex.custom.pm</strong> file. If it's not there, create one. Then add this (delete any rules you do not require):</p> <pre><code> # XMLRPC if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /xmlrpc.php.*" /)) { return ("WP XMLPRC Attack",$1,"XMLRPC","1","80,443","1"); } # WP-LOGINS if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /wp-login.php.*" /)) { return ("WP Login Attack",$1,"WPLOGIN","1","80,443","1"); } # WP-ADMINS if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /wp-admins.php.*" /)) { return ("WP ADMIN Attack",$1,"WPADMIN","1","80,443","1"); } # WP-PLUGIN if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /wp-cl-plugin.php.*" /)) { return ("WP wp-cl-plugin Attack",$1,"WPPLUGIN","1","80,443","1"); } # wlwmanifest.xml if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /wlwmanifest.xml.*" /)) { return ("WP wlwmanifest.xml Attack",$1,"MANIFEST","1","80,443","1"); } # shell.php if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /shell.php.*" /)) { return ("SHELL shell.php Attack",$1,"SHELL","1","80,443","1"); } # xing.php if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(S+).*] "w*(?:GET|POST) /xing.php.*" /)) { return ("XING xing.php Attack",$1,"XING","1","80,443","1"); } </code></pre> <p>Restart CSF and check if LFD is doing his new job. On success, you should see something like this:</p> <pre><code> May 10 11:33:16 cp lfd[589350]: (WPLOGIN) WP Login Attack 4.4.4.4 (VN/Vietnam/s1.hekkviet.net): 1 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER] May 10 11:33:36 cp lfd[589587]: (WPLOGIN) WP Login Attack 5.5.5.5 (IN/India/5.5.5.5.linuxhosting.com): 1 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER] </code></pre> <p>Any IPs in the CFS 'allow' list will show the following:</p> <pre><code> May 10 11:45:36 cp lfd[591718]: WP Login Attack 1.1.1.1 - ignored May 10 11:45:41 cp lfd[591718]: WP Login Attack 2.2.2.2 - ignored </code></pre> <p>I hope this helps any system admin, and thank you to Igor Mazej for the tutorial.</p> <div id="blog_tags"> </div> <div id="disqus_thread"></div> <script> /** * RECOMMENDED CONFIGURATION VARIABLES: EDIT AND UNCOMMENT THE SECTION BELOW TO INSERT DYNAMIC VALUES FROM YOUR PLATFORM OR CMS. * LEARN WHY DEFINING THESE VARIABLES IS IMPORTANT: https://disqus.com/admin/universalcode/#configuration-variables*/ /* var disqus_config = function () { this.page.url = PAGE_URL; // Replace PAGE_URL with your page's canonical URL variable this.page.identifier = PAGE_IDENTIFIER; // Replace PAGE_IDENTIFIER with your page's unique identifier variable }; */ (function() { // DON'T EDIT BELOW THIS LINE var d = document, s = d.createElement('script'); s.src = 'https://digitalflare.disqus.com/embed.js'; s.setAttribute('data-timestamp', +new Date()); (d.head || d.body).appendChild(s); })(); </script> <noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript> </div> </div> <div id="blog_right"> <div class="right_wrapper"> <h3>Blog Categories</h3> <ul class="blog_cats"> <li><a href="blog.php?category=14">Web Hosting and Domain Names</a></li><li><a href="blog.php?category=15">Website Design</a></li><li><a href="blog.php?category=16">DigitalFlare News</a></li><li><a href="blog.php?category=17">Building a Website</a></li><li><a href="blog.php?category=18">Email</a></li><li><a href="blog.php?category=19">Logo Design</a></li><li><a href="blog.php?category=20">Ecommerce</a></li><li><a href="blog.php?category=21">Social Media</a></li><li><a href="blog.php?category=22">Search Engine Optimisation</a></li><li><a href="blog.php?category=23">Security</a></li><li><a href="blog.php?category=24">Graphic Design</a></li> </ul> <h3>Popular Blog entries</h3> <div class="small_blog_row clear"> <a href="blog/view/exciting-news-digitalflare-now-offers-automotive-photography/"> <div class="left"><span style="background-image: url('media/1725145200/1726441200/thumb_1726488020-6be0f577de8e6c4c62d6d7deb1be30f4.jpg');"></span></div> <div class="right"> <span class="title">Exciting News: DigitalFlare Now Offers Automotive Photography!</span> Exciting News: DigitalFlare Now Offers Automotive Photography! We are thrilled to announce a new chapter for DigitalFlare - our expansion into automotive photography! Over the years, we've been dedic... </div> </a> </div> <div class="small_blog_row clear"> <a href="blog/view/open-graph-how-to-drive-more-social-media-traffic-to-your-website/"> <div class="left"><span style="background-image: url('media/1561935600/1563750000/thumb_1563758959-f5a80b0e4000b37a51760f37c4e27d63.jpg');"></span></div> <div class="right"> <span class="title">Open Graph: How to Drive More Social Media Traffic to Your Website</span> Social media networks can be a significant traffic driver to a website, so it is always in your best interest to optimise your presence on them by adding Open Graph tags to your pages. So what is Ope... </div> </a> </div> <div class="small_blog_row clear"> <a href="blog/view/embedding-music-and-video-on-your-website/"> <div class="left"><span style="background-image: url('media/1561935600/1563663600/thumb_1563719025-6381b152809e56f4254689c4b16ee218.jpg');"></span></div> <div class="right"> <span class="title">Embedding Music and Video on your Website</span> We look at a selection of embed scripts to allow you to place video, audio and other content into your website... But importantly, the below examples are all responsive versions of embed scripts which... </div> </a> </div> <div class="small_blog_row clear"> <a href="blog/view/prevent-a-form-being-used-in-another-country/"> <div class="left"><span style="background-image: url('media/1688166000/1690153200/thumb_1690169639-d8183d46f417dedb49d3c06d880ec171.jpg');"></span></div> <div class="right"> <span class="title">Prevent a form being used in another country (PHP Geo Script)</span> Website form spam and preventing SMTP mail-server abuse will always be a thorn in the side of a business. Anti-spam and anti-bot methods help prevent spam, but they do not irradiate it completely. We ... </div> </a> </div> </div> </div> </div> </div> </div> <div id="footer_wrapper"> <div id="footer_inner"> &copy; Copyright 2024 DigitalFlare Ltd - All Rights Reserved <br /> Company No. 06992385 - Thu 28th Nov 2024 - <a href="files/terms.pdf" target="_blank">Terms &amp; Conditions</a> - <a href="privacy.php">Privacy Policy</a> </div> <div class="page_width dumpbase"> <strong>Local-Visits Areas Covered Include:</strong> <a title="Chertsey Web Designer" href="website-design-company/Web+Designer/Chertsey/Web+Designer">Chertsey</a>, <a title="Iver Web Designer" href="website-design-company/Web+Designer/Iver/Web+Designer">Iver</a>, <a title="Marlow Web Designer" href="website-design-company/Web+Designer/Marlow/Web+Designer">Marlow</a>, <a title="London Web Designer" href="website-design-company/Web+Designer/London/Web+Designer">London</a>, <a title="Cookham Web Designer" href="website-design-company/Web+Designer/Cookham/Web+Designer">Cookham</a>, <a title="Southgate Web Designer" href="website-design-company/Web+Designer/Southgate/Web+Designer">Southgate</a> </div> </div> <!--Start of Tawk.to Script--> <script> var Tawk_API=Tawk_API||{}, Tawk_LoadStart=new Date(); (function(){ var s1=document.createElement("script"),s0=document.getElementsByTagName("script")[0]; s1.async=true; s1.src='https://embed.tawk.to/57e84dd86339c4365aae298d/default'; s1.charset='UTF-8'; s1.setAttribute('crossorigin','*'); s0.parentNode.insertBefore(s1,s0); })(); </script> <!--End of Tawk.to Script--> <script src="js/css3-animate-it.js"></script> </div> </body> </html>