xmlrpc wp-login are common attacks for WordPress installations, with CSF firewall
we can block them.
First we define in CUSTOMx_LOG the log directory from which CSF will be able to search for wp-login.php and xmlrpc.php requests.
Edit your /etc/csf/csf.conf like bellow:CUSTOM1_LOG = "/var/log/httpd/domains/*.log"
If you have use CUSTOM1_LOG use the others
After we have to create custom functions for CSF so it will be able to block those attacks.
We add the following rules to /usr/local/csf/bin/regex.custom.pm file. If it’s not there, create one.
Then we add bellow code :
# XMLRPCif (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","1");
}
# WP-LOGINSif (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","5","80,443","1");
}
Finally we restart CSF and check if LFD is doing his new job :
csf -r.