One of the most common attacks are Brute Force attacks on your WordPress site's xmlrpc.php or wp-login.php.
In a brute force attack the malicious script, which runs off server, tries a number of login combinations until it gains access to the site.
We will be using Fail2Ban framework. This framework monitors the server log files and looks for certain set patterns from each IP accessing the site.
Fail2Ban checks :
- vsftpd login failure
- SSH auth failure etc
Fail2ban is a python script, so make sure python is installed on your server.
To install fail2ban :
sudo apt-get update sudo apt-get install fail2ban
Configure fail2ban with default config settings :
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Next we define a new filter in /etc/fail2ban/filter.d and call it wordpress-auth.conf :
[Definition] failregex = ^ .*POST .*xmlrpc.php.* ^ .*POST .*login.php.* ignoreregex =
Now append the following code to the jail.conf file :
[wordpress] enabled = true port = http,https filter = wordpress logpath = /var/log/varnish/access.log maxretry = 3 bantime = 43200
Restart fail2ban and we are done :
sudo service fail2ban restart