How I stopped WordPress brute force attacks on cPanel servers

I run a hosting company which host mostly WordPress sites. As you know brute force attacks on WordPress has been a big issue for the past few years. About six months ago after I was able to block most attacks they got even stronger and harder to stop. I figured out how to block them 99% of the time which keeps my server resources down and keeps my clients sites from wasting resources.

If you run your own servers you can use the guide below to protect your clients sites. If you’re not running your own server use this guide block brute force attacks on your site.

This guide is for someone running cPanel 64 or greater with EasyApache 4. Parts of this guide will work for cPanel 58-64 and EasyApache 3 however some features may be missing.

Writing this current guide base on my current server setup. These methods may work with other platforms such as Plesk but I don’t have the environment to test.

Step One – Apache Config

The first thing I did was block ALL xmlrpc.php traffic from anyone but WordPress IPs. These IPs may changes but the list I’m currently using has been working fine for over a year.

You need to add the code below in your apache config. If you’re running cPanel you can login to WHM and search for Apache Configuration. Once you’re on that menu select Include Editor and select the All Versions drop down under Pre VirtualHost Include.

**Add your IP address so you can access everything after you block it**

This code will redirect all xmlrpc.php and wp-trackback.php to localhost aka 127.0.0.1. You may have clients that use both so make sure they’re not using the WordPress app or using Trackbacks. We decided as a company to block them because they were used for attacks more than anything and not one of our clients reported issues either. If they need xmlrpc.php or wp-trackback.php you can put them on their own server. No need to compromise your security for one client.

<FilesMatch “^(xmlrpc\.php|wp-trackback\.php)”>
Order Deny,Allow
Deny from all
Allow from *.wordpress.com
Allow from 192.0.64.0/18
Allow from 185.64.140.0/22
Allow from 2a04:fa80::/29
Allow from 76.74.255.84
Allow from 76.74.255.85
Allow from 192.0.65.204
Allow from 192.0.65.205
Allow from 192.0.80.244
Allow from 192.0.80.246
Allow from 192.0.96.247
Allow from 192.0.96.248
Allow from 192.0.123.250
Allow from xxx.xxx.xxx.xxx <—————- **ADD YOUR IP ADDRESS OR REMOVE THIS LINE** (If you don’t the config will error)
Satisfy All
ErrorDocument 403 http://127.0.0.1/
</FilesMatch>

Step Two – Mod Security

The next step requires Mod Security to be installed. This is a free option within cPanel. Hopefully you’re running the latest cPanel 62+ which has a nice interface for Mod Security.

You can install Mod Security via EasyApache 4. Once you’re login to WHM search for EasyApache 4. Since you most likely already have a running config you can click the blue button to customize your current config. Once everything loads click Apache Modules and search for mod_security. You want to have mod_security2 and mod_security2-mlogc. (You may already have mod_security2 installed but mod_security2-mlogc is a new feature since cPanel 62+.

If yours shows blue and unaffected you already have both installed. If not hit next until you get to the review screen and hit provision

(If you’re running cPanel 62 it’s called modsec-sdbm-util. If you’r’re not running 62+ you can install the plugin from Kenneth Power github https://github.com/escherlat/modsec-sdbm-util)

What mod_security2-mlogc does is clean up your ModSec logs so they don’t get really large in size. I had an issue where the log file /var/cpanel/secdatadir/ip.pag would get 25GB in size and cause the server to overload.

Once you have ModSec installed you can install click the WHM icon at the top left to refresh the page. Then search for ModSecurity in the WHM search panel. Select ModSecurity™ Vendors and add / install the OWASP ModSecurity Core Rule Set V3.0 rules. (You may already have the 2.0 rules installed) Personally I’ve found the 3.0 rules to be better than the 2.0 rules. I have disabled the 2.0 rules all together.

Search for ModSecurity™ Configuration within WHM and make sure everything is turned on. I have Audit Log Level set to Only log noteworthy transactions, Connections Engine set to Process the rules, Rules Engine set to Process the rules. You can setup the other stuff as well such as Geolocation Database and Project Honey Pot if you want but I’m not going to talk about those within this guide.

Step Three – CMC

You don’t need to install this if you want to modify the files via command line or ftp but I found it’s easier using this plugin. The install instructions are pretty easy.

https://www.configserver.com/cp/cmc.html

Install instructions: https://download.configserver.com/cmc/INSTALL.txt

Once you have CMC installed you can click the WHM icon at the top left to refresh the page. Search for ConfigServer ModSec in the WHM search and select it. Scroll down to the bottom and select modsec/modsec2.user.conf under ConfigServer ModSecurity Tools and select edit.

This is the rule that will block 99% of the attacks. In the last 7 days it’s blocked over 42,5000+ attacks!

Add the following entry: (More about the other rules below – Do not add them until you read the rest of this post)

<Locationmatch “/wp-login.php”>
SecRule REQUEST_METHOD “POST” “deny,status:401,id:972687,chain,msg:’wp-login request blocked, no referrer'”
SecRule &HTTP_REFERER “@eq 0”
</Locationmatch>

What this does is block any connection that doesn’t have a referrer (https://en.wikipedia.org/wiki/HTTP_referer)

Step Four- CSF

Hopefully by now you already have a firewall installed however if you don’t you need to install ConfigServer Security & Firewall.

https://configserver.com/cp/csf.html

This is another easy install.

https://download.configserver.com/csf/install.txt

Once you have CSF installed you can click the WHM icon at the top left to refresh the page. Search for firewall in the WHM search and select it. If you don’t already have it setup click Firewall Profiles under csf – ConfigServer Firewall and select one to fit your environment. I always start with protection_high and adjust some settings so if you don’t know how CSF works pick medium and apply profile. It will ask you to restart csf & lfd.

Once the page refresh select Firewall Configuration. Search for LF_MODSEC. The default should be set to 3 or 5 depending on the profile you have. You can start with 3 as you monitor the blocks however I have mine set to 1 because I don’t get anymore false positive on ModSec so if someone hits a ModSec rule once they are automatically added to the firewall block. I also have DENY_IP_LIMIT set to 5000 and DENY_TEMP_IP_LIMIT set to 1000. The limit you set depends on your servers. I could have a lot higher but feel 5000 is a good limit.

One last step is setting up ldf blocklist. You can find this on the main firewall screen (very bottom) after clicking it from the WHM search. You will find a few entries already in there by default but I added two to my list. Below is my current config for blocklist.

The two other list I added were myip.ms Latest blacklist and myip.ms user submitted blacklist. You may also not have GreenSnow Hack List depending on your CSF install.

PLEASE NOTE: You may not be able to use all of these depending on your server size. I suggest adding one or two at a time and slowly add the others over the next few days. Watch your server load and loading time of your clients sites to make sure the firewall is not slowing down your server.

# Spamhaus Don’t Route Or Peer List (DROP)
# Details: http://www.spamhaus.org/drop/
SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.lasso

# Spamhaus Extended DROP List (EDROP)
# Details: http://www.spamhaus.org/drop/
SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.lasso

# DShield.org Recommended Block List
# Details: http://dshield.org
DSHIELD|86400|0|http://www.dshield.org/block.txt

# TOR Exit Nodes List
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
TOR|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4

# Alternative TOR Exit Nodes List
# Details: http://torstatus.blutmagie.de/
ALTTOR|86400|0|http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv

# BOGON list
# Details: http://www.team-cymru.org/Services/Bogons/
BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt

# Project Honey Pot Directory of Dictionary Attacker IPs
# Details: http://www.projecthoneypot.org
HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1

# C.I. Army Malicious IP List
# Details: http://www.ciarmy.com
CIARMY|86400|0|http://www.ciarmy.com/list/ci-badguys.txt

# BruteForceBlocker IP List
# Details: http://danger.rulez.sk/index.php/bruteforceblocker/
BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php

# OpenBL.org 30 day List
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://www.openbl.org
OPENBL|86400|0|https://www.openbl.org/lists/base_30days.txt

# MaxMind GeoIP Anonymous Proxies
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://www.maxmind.com/en/anonymous_proxies
MAXMIND|86400|0|https://www.maxmind.com/en/anonymous_proxies

# Blocklist.de
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://www.blocklist.de
# This first list only retrieves the IP addresses added in the last hour
BDE|3600|0|https://api.blocklist.de/getlast.php?time=3600
# This second list retrieves all the IP addresses added in the last 48 hours
# and is usually a very large list (over 10000 entries), so be sure that you
# have the resources available to use it
#BDEALL|86400|0|http://lists.blocklist.de/lists/all.txt

# Stop Forum Spam
# Details: http://www.stopforumspam.com/downloads/
# Many of the lists available contain a vast number of IP addresses so special
# care needs to be made when selecting from their lists
#STOPFORUMSPAM|86400|0|http://www.stopforumspam.com/downloads/listed_ip_1.zip

# GreenSnow Hack List
# Details: https://greensnow.co
GREENSNOW|3600|0|http://blocklist.greensnow.co/greensnow.txt

# myip.ms Latest blacklist
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time
MYIPMSBLACKLIST|86400|0|https://myip.ms/files/blacklist/csf/latest_blacklist.txt

# myip.ms user submitted blacklist
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://myip.ms/browse/blacklist/1/usrs/0/Yes_Blacklist_IP_Addresses_Live.html
MYIPMSUSERS|86400|0|https://myip.ms/files/blacklist/csf/latest_blacklist_users_submitted.txt

After you have made the changes above hit change and restart csf & lfd.

Bonus – modsec2.user.conf Bad Bots

We had a lot of issues with Baidu and Yandex using a lot of resources on clients sites so we decided to block them all together. We also have a bad bot list we put together from resources online which you can block via ModSec.

First thing you want to do is create a file badbotlist.txt under /etc/apache2/conf.d/modsec/ or on your computer and upload to /etc/apache2/conf.d/modsec/.

Add the text from this document into your file.

ModSec Bad Bots List: https://docs.google.com/document/d/1SjtAywpkLR6dX0Va_tKgpdMxAIOsHTf_xcMaQ5XK6no/edit?usp=sharing

Once you have the file add this to your modsec/modsec2.user.conf (You can do this via ConfigServer ModSecurity Control)

SecRule REQUEST_HEADERS:User-Agent “@pmFromFile badbotlist.txt” “id:350001,rev:1,severity:2,log,msg:’BAD BOT – Detected and Blocked. ‘”

Hit change / restart CSF & LFD

Bonus – modsec2.user.conf xmlrpc.php

While xmlrpc.php is getting blocked via Apache Config I noticed some slipping though if the attacker is trying to break into /blog/xmlrpc.php

Adding this code below will stop those attacks.

<Locationmatch “/xmlrpc.php”>
SecRule REQUEST_METHOD “POST” “deny,status:401,id:48658231,chain,msg:’xmlrpc request blocked, no referrer'”
SecRule &HTTP_REFERER “@eq 0”
</Locationmatch>

Bonus – Extra Modsec Rules

I also noticed some attackers trying to exploit by doing // in front to get by the main block those.

SecRule QUERY_STRING “//” “redirect:http://127.0.0.1,id:2894326”

Bonus – Comodo ModSec

Comodo has a nice set of ModSec rules that you can add via ModSecurity™ Vendors inside WHM.

Here is a guide on install those rules.

https://help.comodo.com/topic-212-1-670-8350-.html

Bonus – Cloudflare Page Rules

Cloudflare allows you to use three page rules for free. If you have a client that is still getting a lot of attacks I highly suggest putting them on Cloudflare. Here is a guide how to setup the page rules.

After you have the site added to cloudflare and the name servers changed / verified. Go to Page Rules.

Cloudflare allows you to have three page rules for free. If you need more it’s only 5 dollars for 5 more.

These are the three that i’m using to block most attacks via cloudflare.

Create a rule with the following matches.

First rule

(This rule is only for a bot or someone visiting wp-login.php and not the rest of your site)

URL Matches: *yourclientsdomain.com/wp-login.php*

First setting: Browser Integrity Check – On (Documentation)

Second setting: Security level – I’m under attack. (Documentation)

Second rule

(This rule is only for a bot or someone visiting /wp-admin and not the rest of your site – Kind of redundant since wp-admin redirects to wp-login.php but saves a php process redirecting)

URL Matches: *yourclientsdomain.com/wp-admin*

First setting: Browser Integrity Check – On (Documentation)

Second setting: Security level – I’m under attack. (Documentation)

Third rule

(This rule is only for a bot or someone visiting xmlrpc.php and not the rest of your site)

URL Matches: *yourclientsdomain.com/xmlrpc.php*

First setting: Browser Integrity Check – On (Documentation)

Second setting: Security level – I’m under attack. (Documentation)

If your client has their own server because they use xmlrpc.php change security level to high. This will still block most bots while allowing WordPress app (Android, iPhone, Windows, etc) and JetPack to work. If not, you can just keep it as I’m under attack.

Final Steps

Monitor your ModSec Hit List by searching for ModSecurity™ Tools under WHM. Search and monitor the IPs getting blocked in the firewall to make sure legit traffic isn’t getting blocked.

Let me know if you have any questions.

If the information I provided helped you. Feel free to buy me a cup of coffee. Tips are always appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *

//]]>