WordPress is a popular content management system, but it’s also a prime target for hackers looking to gain unauthorized access through brute force attacks on the admin login page. To enhance security and protect your WordPress site from such threats, you can implement custom CSF (ConfigServer Security & Firewall) rules on your server. In this article, we’ll guide you through creating custom CSF rules with regex patterns to block WordPress admin brute force attacks at the server level.
Stopping brute force attacks on the server level is a more efficient approach as it conserves server resources and enhances performance when compared to using plugins for mitigation. Server-level protection intercepts malicious login attempts before they reach your application, preventing unnecessary resource consumption. In contrast, plugins primarily block IP addresses at the application level, which can strain server resources by processing and denying these requests, ultimately achieving the same goal but with a potentially heavier resource burden on your server due to the additional layers of processing required.
Before proceeding, ensure you have access to CSF on your server. This may be available on both managed and unmanaged Virtual Private Servers (VPS), depending on your hosting environment. Usually it’s preinstalled by most hosting companies. If you are using a shared hosting plan, contact your hosting provider to inquire about CSF availability and permissions.
Understanding CSF and LFD (ConfigServer Security & Firewall and Login Failure Daemon)
CSF (ConfigServer Security & Firewall) is a powerful tool for managing server firewall rules on Linux-based systems. It simplifies the configuration and management of firewall rules using an easy-to-understand interface. CSF can also be extended with custom rules, allowing you to define specific patterns to identify and block malicious traffic.
LFD (Login Failure Daemon) is a critical component of CSF (ConfigServer Security & Firewall) that plays a pivotal role in enhancing server security. LFD is responsible for monitoring login attempts on your server and taking actions when it detects multiple failed login attempts or other suspicious login activity. Here’s a more detailed explanation of what LFD does:
- Monitoring Log Files: LFD constantly monitors log files on your server, particularly those related to login and authentication processes. Common log files it checks include
/var/log/auth.logand custom log files specified in the CSF configuration. - Detecting Failed Login Attempts: LFD scans these log files for patterns indicative of failed login attempts. This includes login attempts for SSH, FTP, cPanel, WHM, and other services that require authentication.
- Failed Login Thresholds: LFD allows you to set thresholds for the number of failed login attempts within a specified time frame. When these thresholds are exceeded, it considers the activity suspicious and takes action.
- Temporary IP Blocking: One of the primary actions LFD takes is temporarily blocking the IP address responsible for the suspicious login attempts. This temporary block is a security measure to prevent brute force attacks. By default, LFD uses the iptables firewall to implement these blocks.
- Email Notifications: LFD can send email notifications to server administrators when it detects and blocks suspicious login activity. These notifications provide details about the IP address, the service being targeted, and the reason for the block.
- Custom Rules: LFD allows you to create custom rules to specify how it should respond to specific events. You can define custom rules to block or unblock IP addresses based on your server’s security needs.
- CSF Integration: LFD is tightly integrated with CSF, making it easy to configure and manage server security settings from a single interface. This integration simplifies the process of creating custom firewall rules and managing access control.
In summary, LFD is a vital security component in CSF that actively monitors login attempts on your server, identifies suspicious activity based on predefined thresholds, temporarily blocks IP addresses involved in such activity, and sends notifications to server administrators. By effectively using LFD in conjunction with CSF, you can significantly enhance the security of your server and protect it from various types of login-related threats, including brute force attacks.
LFD and Its Custom Rule Features
One of the notable features of LFD is its ability to create and utilize custom rules, allowing server administrators to tailor its behavior to meet specific security requirements. Let’s delve deeper into LFD and its custom rule feature:
- Flexibility and Customization: One of the standout features of LFD is its ability to create and apply custom rules. This feature allows server administrators to customize LFD’s behavior to align with their specific security needs and policies.
- Rule Configuration: Custom rules can be configured to specify how LFD should respond to particular events or conditions. Administrators can define conditions, actions, and exceptions within these custom rules.
- Examples of Custom Rules: Common use cases for custom rules in LFD include:
- Blocking or unblocking IP addresses based on specific criteria.
- Customizing notification messages and recipients.
- Defining rules for monitoring and responding to specific log files or patterns.
- Creating rules to match and respond to particular events, services, or users.
All the above come down to the following: LFD custom rules is a critical security component that enhances server security and provides administrators with the flexibility to fine-tune security measures, allowing them to create tailored responses to specific security events or conditions. Let’s see how we can apply all these to protect our WordPress websites and save useful server resources.
Creating Custom CSF Rules for Blocking WordPress Admin Brute Force Attacks
To effectively block WordPress admin brute force attacks with custom CSF rules, follow these steps:
Access Your Server:
Log in to your server via SSH using a terminal or an SSH client like PuTTY or even better (because of it’s UI), WinSCP.
Firstly we must configure the CUSTOM1_LOG parameter to point directly to the access.log file of the specific website you intend to protect or to any alternative log file where your hosting environment records relevant access data. This configuration is vital because it enables CSF to focus its monitoring efforts on the exact log file associated with the targeted website.
Locate csf.conf which is usually in the etc directory:
Then locate the CUSTOM{i}_LOG = lines and add the path your website’s access.log to the first parameter (CUSTOM1_LOG):
Locate CSF Custom Rules Directory: In CSF, custom rules are defined in a separate file located in the same /etc/csf/ directory. Typically, this file is named regex.custom.pm:
Edit the Custom Rules File and add the below rule:
# WordPress-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^"(\S+)\s\-\s\-.*POST.*wp-login\.php HTTP.* 200/)) {
return ("WPLogAttk",$1,"wplogin","5","","36000");
}
In this example, CSF checks the logs for custom log file CUSTOM1_LOG and looks for access to the WordPress admin login page. If three or more failed login attempts occur within a short period, it will block the IP address ($ip) and log the action.
Save and Exit: After adding your custom rules, save and exit the text editor.
Apply Custom Rules: To apply the custom rules, restart CSF with the following command:
csf -r
Monitor Blocked IPs: You can monitor blocked IP addresses by checking the CSF logs or using the csf -g command.
Bonus: Woocommerce and Contact form 7 protection
In order to provide brute force protection to Woocommerce account login page and some rate limiting to form submissions from your website, use the following custom rules:
# Woocommerce Account login attack
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^"(\S+)\s\-\s\-.* "POST \/my-account\/ HTTP.* 200/)) {
return ("WooAccLogAttk",$1,"wooacclog","10","","3600");
}
# Contact form 7 form sent
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^"(\S+)\s\-\s\-.* "POST \/wp-json\/contact-form-7[^\s]*?(?=feedback HTTP\/1.1" 200)/)) {
return ("Cf7dos",$1,"cfdos","5","","3600");
}Use CSF and protect your WordPress!
Creating custom CSF rules with regex patterns allows you to proactively block WordPress admin brute force attacks at the server level. These rules provide an additional layer of security by identifying and blocking suspicious access attempts to the WordPress admin login page. Remember to adjust the regex patterns and thresholds to match your specific security requirements. By implementing these custom CSF rules, you can significantly enhance the security of your WordPress website and protect it from unauthorized access.