7 Jun
2013
7 Jun
'13
12:19 a.m.
On 06/06/2013 21:52, Ian wrote:
I've got a Fail2Ban jail set up to ban anyone
accessing any
wp-login.php more than five times. It's just triggered a dozen times
in a minute - there's another major burst of hack attempts going on.
Especially if you or any clients have an account called 'admin' on a
WP site - not a good idea, as it's the WP default and thus the
primary
one hackers go for - you want to watch out.
Ian
(Another eight triggers while writing this...)
I meant to post to the list about this too; I got hit on Tuesday to the
extent that my VPS OOMed.
After working out what was going on and adding to the fail2ban rules,
around 400 different IPs and around 2000 requests to wp-login.php were
blocked over the course of a couple of hours although it's died down
since.
If it helps anyone, my fail2ban filter:
[Definition]
failregex = [[]client <HOST>[]] WP login failed.*
[[]client <HOST>[]] client denied.*wp-login.php
The first line requires a change to your Wordpress theme to log failed
logins, described here:
http://blog.somsip.com/2012/02/using-fail2ban-to-protect-wordpress/
The second one comes from adding rules to .htaccess to deny requests
for wp-login.php and wp-admin to anything outside of the IP ranges I
use. The second rule should be sufficient; I added the first one a while
ago and didn't see any harm in leaving it.
Stuart