akamaras

Over the last few years there have been massive brute force attacks against wordpress sites wp-login.php.

A quick search for a way of dealing with these attacks, returned methods that used mod_security to identify the attack and then ban the ip using a firewall. I wanted a simple way to ban the ip without using mod_security. So I wrote a bash script that checks how many attempts to login have been made from each ip, if the times are unusually high then the ip gets temporarily banned using ConfigServer Firewall (csf). The script can be placed in crontab so as to have frequent/automated checks.

Here is what you need to do.

Create a directory named wplogin (or whatever you want), enter the directory and create the script

mkdir wplogin
cd wplogin
vi wplogin.sh

copy paste the following code into wplogin.sh

#!/bin/bash

###start editing
thold="100"
btime="359m"
###stop editing

egrep 'wp-login.php' /usr/local/apache/domlogs/* | grep -v ftp_log | awk -F : '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | awk -v limit="$thold" '$1 > limit{print $2}' > $$_ip_$$

while IFS= read -r line
        do
                /usr/sbin/csf -td "$line"  "$btime" "banned for wordpress attack"
        done < $$_ip_$$
rm -f $$_ip_$$

make the script executable

chmod +x wplogin.sh

Place it in crontab and have it executed automatically

0 */6 * * * /path_to_script/wplogin/wplogin.sh

• You can change the threshold for how many times an ip must have hit the wp-login.php script before it gets blocked by changing the thold value (default is 100) on the beggining of the script. If you have users with very active wordpress sites that have set to keep their logs for a month, make sure you set thold value as high as it needs so as not to ban valid users.

• You can change the amount of time the ip gets banned by changing the btime value on the top of the script (default is 6 hours).