Edit /etc/csf/regex.custom.pm and add:
Code: Select all
# wordpress
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
return ("Failed WordPress login from",$1,"wordpress","20","80,443","3600");
}
Then update /etc/csf/csf.conf and change CUSTOM4_LOG to scan your web server access logs. (If they aren’t doing so already). Eg. for Plesk: /var/www/vhosts/system/*/logs/access_log
That rule will block brute force attacks to wp-login.php for one hour. If you want to block them permanently just change the 3600 to 1.
Source: https://forum.configserver.com/viewtopic.php?t=8886#p25432
