Imunify360 and wp-login attacks

1. Imunify360 and wp-login attacks
2. It seems that lately Imunify360 has been very bad at blocking wp-login.php attacks. Earlier their graylist blocked these quite nice but now it seems that lot of bots come through. They have a modsecurity rule "Wordpress Bruteforce RBL remote check", but that does not really do anything.
3. ++++++++++++++
4. list of top cheapest host http://Listfreetop.pw
5.  
6. Top 200 best traffic exchange sites http://Listfreetop.pw
7.  
8. free link exchange sites list http://Listfreetop.pw
9. list of top ptc sites
10. list of top ptp sites
11. Listfreetop.pw
12. Listfreetop.pw
13. +++++++++++++++
14.  
15. Have anyone else experienced the same? I think our old setup with CSF and Comodo WAF was more effectivce in blocking these attacks.
16.  
17. Best thing would be to redirect all users to Capcha when going to wp-login.php page.
18. We have recently switched to using RBL for blocking wordpress brute force attacks. We have seen several people who don't use web shield CDN proxying being affected - because they used CDN and no mod_remoteip. Maybe it is your case.
19. Otherwise, could you contact our support, so they can determine what is causing your issue.
20. Igor Seletskiy
21. CEO @ Cloud Linux Inc
22. http://www.cloudlinux.com
23. CloudLinux -- The OS that can make your Shared Hosting stable
24. CSF on Cloud Linux will block wp-login attacks quite effectively. It's quite common to deploy CSF on Cloud Linux servers
25.  
26. In fact some providers deploy CSF and Imunify360 together on Cloud Linux servers, so it'd be easy to block the wp-login attacks using CSF and use Imunify360 as an additional layer of protection.
27. @3FRSB recently posted a way to do just that using CSF.
28. We have recently switched to using RBL for blocking wordpress brute force attacks. We have seen several people who don't use web shield CDN proxying being affected - because they used CDN and no mod_remoteip. Maybe it is your case.
29. Otherwise, could you contact our support, so they can determine what is causing your issue.
30. How effective is Imunify360 at blocking WP brute force attacks when Cloudflare is involved?
31.  
32. For example, lets say a client is using Cloudflare directly (not through the hosts cPanel plugin) and using Cloudflare's nameservers. So the host does not have the ability to manage the Cloudflare account in order to block the original/real IP address as they would if the client were using Cloudflare from the hosts cPanel.
33.  
34. hosting your own baby shower
35. hosting 5gb
36. g5u.pw
37. 1 domain drive
38. downloadmygifts.com
39. www.thinklinx.com
40. hosting 5 gb
41. domain functional level
42.  
43. So while mod_cloudflare or mod_remoteip will allow the connection to be logged as the real IP of the connecting machine, the connection is still coming from the Cloudflare IP address.
44.  
45. The host obviously cannot block the Cloudflare IP address because it would affect all clients using Cloudflare on that server, but cannot block the offending real IP either because the attack is technically coming from the Cloudflare IP and not the real IP of the attacker.
46. It is fully effective as long as you either:
47. 1. enable WebShield CDN proxy
48. 2. OR setup mod_remoteip and correctly pickup cloudflare headers / real IP
49.  
50. We are blocking WP brute force attacks using modsec/RBL -- and not blocking them on firewall level.
51. Igor Seletskiy
52. CEO @ Cloud Linux Inc
53. http://www.cloudlinux.com
54. Thank you @iseletsk that makes sense.
55. I think that an "under attack" button would be great. When turned on, every request to wp-login.php would go though captcha. Would this be possible? Or can it already be done with some custom rules?
56. With CloudFlare active, you could have a page rule or .htaccess to block traffic towards /wp-login.php directly (and also with BIC - Browser Integrity Check), then use wps-hide-login plugin to change the actual login URL. Then every hit towards /wp-login.php you can just deny (but not block)
57. From my Wordpress experience, the best practice to avoid wp-login attacks is to alter the login url as @zacharooni have mentioned.
58. Even though if you have a firewall, it will block those requests, but "if" - for whatever reason- they broke through your firewall, the admin login URL will be a whole different level of challenge.
59. When it comes to shared hosting environment, users do not know or do not care about this so the best protection will always be from the server level and not just via firewall alone.
60. all the user has to do is ensure that they run something like wordfence. This doesnt help overuse of server resources in tackling these unwanted attacks obviously, however, i get far more from mail server probes than from websites.
61. How effective is Imunify360 at blocking WP brute force attacks when Cloudflare is involved?
62.  
63. For example, lets say a client is using Cloudflare directly (not through the hosts cPanel plugin) and using Cloudflare's nameservers. So the host does not have the ability to manage the Cloudflare account in order to block the original/real IP address as they would if the client were using Cloudflare from the hosts cPanel.
64.  
65. So while mod_cloudflare or mod_remoteip will allow the connection to be logged as the real IP of the connecting machine, the connection is still coming from the Cloudflare IP address.
66.  
67. The host obviously cannot block the Cloudflare IP address because it would affect all clients using Cloudflare on that server, but cannot block the offending real IP either because the attack is technically coming from the Cloudflare IP and not the real IP of the attacker.
68.  
69. Thanks!
70. If the info is of any use (not an expert):
71.  
72. My WordPress website, using Cloudflare tested.
73. Testing with Owasp ZAP passive scan, it got blocked by WordFence, not by the hosting server.
74. Though it could be that WordFence just had a bit lower blocking threshold (fewer failed login attempts).
75. Mostly harmless?
76. When it comes to shared hosting environment, users do not know or do not care about this so the best protection will always be from the server level and not just via firewall alone.
77. That is true. Sometimes customers will install plugins like WordFence but using plugins like that can cause high resource usage for their own account thus slow their own sites down. It is best protected at the server level i.e have security use resources from the server itself, not custom plugins making customer hit LVE limits quicker.
78.  
79. Quote Originally Posted by goannawebsites View Post
80. all the user has to do is ensure that they run something like wordfence. This doesnt help overuse of server resources in tackling these unwanted attacks obviously, however, i get far more from mail server probes than from websites.
81. That is not that good. It can slow your own sites down due to hitting LVE limits. Let software at server level take care of it like CSF+Comodo or Imunify360.
82. HostXNow Cloud Hosting - Powered by cPanel.
83. HostXNow Reseller Hosting - Powered by cPanel/WHM.
84. Let software at server level take care of it like CSF+Comodo or Imunify360.
85. From the first post:
86. Quote Originally Posted by HostingSE View Post
87. It seems that lately Imunify360 has been very bad at blocking wp-login.php attacks.
88. It's that he's complaining about.
89. Show your support for everyone affected by the Australian bush fires, and those fighting them
90. We do something similar adding a captcha challenge to the WP login URL.
91. This solution has proved us to be a very effective and simple solution.
92. Unfortunately some users setup Cloudflare on their own without notifying us.
93. WP Hide is a popular solution to hide login url. Only known users, which is mostly a single admin user will know the login URL.
94. Default login URL will be a 404.
95. BountySite: Website Time Machine with Offsite Security Scanning
96. Adding Value and Revenue to your Hosting