phpAddict
Active Member
With so many of my accounts being WordPress sites these days I was constantly being alerted by CSF of excessive resource usage on wp-login.php pages several times a day. Even though I have plugins installed that ignore logins after a few failed attempts, hackers wouldn't notice that or the scripts wouldn't stop so they continued to hammer my server. CSF is great but since it didn't provide IP addresses of the offenders in the email alerts I always had to login and view recent visitors on that account, find the offending ip, go back into CSF and black list the IP. Only takes a few minutes, but it gets to be annoying after a while and when it happens in the middle of the night I don't notice it until the next morning. So I began thinking of a way to get WordPress and CSF to work together to automatically block these IPs and of course someone already did so I figured I'd share since I'm sure I'm not the only one with this issue...
https://smyl.es/how-to-block-wp-log...panel-mod-security-and-configserver-firewall/
I changed some of the timings (10 failed logins within 15 minutes will block for 60 minutes). It's optional to have it tied in with CSF and seems it may increase resource usage which may be an issue on VPS's. If you do enable mod_security and CSF to commingle then the temporary block will not work, as soon as mod_security's rule is triggered CSF will go into action and add the IP to the permanent deny list. Not necessarily a problem but important to understand so you know where to correct users that manage to get themselves blocked (of course that would never happen ).
I plan to take this small list of rules and apply it to other pages that seem to get hammered on my server (contact forms, custom login pages, etc.)
I saw from previous threads and their website that there are other common rules to add to ModSecurity, and @Dan you seem to use it religiously. Do these rules change regularly? Would you recommend applying any particular rule sets? I read some are buggy or cause excessive resource usage so I'd like to hear from someone that's used it for a while.
https://smyl.es/how-to-block-wp-log...panel-mod-security-and-configserver-firewall/
I changed some of the timings (10 failed logins within 15 minutes will block for 60 minutes). It's optional to have it tied in with CSF and seems it may increase resource usage which may be an issue on VPS's. If you do enable mod_security and CSF to commingle then the temporary block will not work, as soon as mod_security's rule is triggered CSF will go into action and add the IP to the permanent deny list. Not necessarily a problem but important to understand so you know where to correct users that manage to get themselves blocked (of course that would never happen ).
I plan to take this small list of rules and apply it to other pages that seem to get hammered on my server (contact forms, custom login pages, etc.)
I saw from previous threads and their website that there are other common rules to add to ModSecurity, and @Dan you seem to use it religiously. Do these rules change regularly? Would you recommend applying any particular rule sets? I read some are buggy or cause excessive resource usage so I'd like to hear from someone that's used it for a while.