Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
litespeed_wiki:config:wordpress-protection [2017/12/20 14:30] Lisa Clarke [How to Enable LSWS WordPressProtect Feature on cPanel] |
litespeed_wiki:config:wordpress-protection [2020/01/23 19:37] (current) George Wang [Set "Trusted <ip>" in .htaccess to bypass the block] |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| A ‘brute force’ login attack is a type of attack against a website to gain access to the site by guessing the username and password, over and over again. WordPress is the most popular CMS and therefore it’s a frequent target of this type of attack. The ''wp-login.php'' and ''xmlrpc.php'' pages are the most common target of brute force attack by POST method. WordPress doesn’t have any built-in protection to prevent this, hence the need for a third-party solution. | A ‘brute force’ login attack is a type of attack against a website to gain access to the site by guessing the username and password, over and over again. WordPress is the most popular CMS and therefore it’s a frequent target of this type of attack. The ''wp-login.php'' and ''xmlrpc.php'' pages are the most common target of brute force attack by POST method. WordPress doesn’t have any built-in protection to prevent this, hence the need for a third-party solution. | ||
| - | Starting with version 5.2.3, LSWS has a built-in WordPress brute force attack protection system. It will protect shared hosting WordPress environments from large-scale brute force attacks, which have the potential to bring down entire servers. | + | Starting with version 5.2.3, LiteSpeed Enterprise has a built-in WordPress brute force attack protection system. It will protect shared hosting WordPress environments from large-scale brute force attacks, which have the potential to bring down entire servers. |
| + | |||
| + | WordPressProtect is also built into LiteSpeed Web ADC. | ||
| ===== How Brute Force Protection Works ===== | ===== How Brute Force Protection Works ===== | ||
| - | The newly introduced WordPress Protection directive is: ''WordPressProtect [off|on|drop|deny|throttle, ] <limit>'' \\ | + | The newly introduced WordPress Protection directive is: ''WordPressProtect [off|on|drop|deny|throttle|captcha, ] <limit>'' \\ |
| - | The action is optional, and defaults to ''throttle''. The limit can be set together with the action, and has a value of (0|1|5-1000) \\ | + | The action is optional, and defaults to ''throttle''. The limit can be set together with the action, and has a value of (0|1|2-1000) \\ |
| * ''0'' disables WordPress Protection. | * ''0'' disables WordPress Protection. | ||
| * ''1'', when used by a virtual host, defers to the setting used by the server. | * ''1'', when used by a virtual host, defers to the setting used by the server. | ||
| - | * ''5''-''1000'' enables WordPress protection and also specifies the login limit. (Values lower than ''5'' will be treated as ''5'', and values higher than ''1000'' will be treated as ''1000'') \\ | + | * ''2''-''1000'' enables WordPress protection and also specifies the login limit. (Values lower than ''2'' will be treated as ''2'', and values higher than ''1000'' will be treated as ''1000'') \\ |
| **Example:** | **Example:** | ||
| * ''WordPressProtect drop, 10'' | * ''WordPressProtect drop, 10'' | ||
| * ''WordPressProtect throttle, 20'' | * ''WordPressProtect throttle, 20'' | ||
| + | * ''WordPressProtect captcha, 2'' | ||
| + | |||
| + | **NOTE**: In order to use the ''captcha'' option, you need to configure the reCAPTCHA protection feature. Please see the | ||
| + | [[https://docs.litespeedtech.com/lsws/recaptcha/|How to Configure reCAPTCHA Protection]] guide for instructions. | ||
| This directive can be placed in the Apache configuration or ''.htaccess'' file. | This directive can be placed in the Apache configuration or ''.htaccess'' file. | ||
| Line 60: | Line 66: | ||
| and add: | and add: | ||
| <IfModule Litespeed> | <IfModule Litespeed> | ||
| - | WordPressProtect 5 | + | WordPressProtect throttle, 5 |
| </IfModule> | </IfModule> | ||
| Line 67: | Line 73: | ||
| You can also disable the feature globally: | You can also disable the feature globally: | ||
| <IfModule Litespeed> | <IfModule Litespeed> | ||
| - | WordPressProtect 0 | + | WordPressProtect off |
| </IfModule> | </IfModule> | ||
| Line 73: | Line 79: | ||
| <IfModule Litespeed> | <IfModule Litespeed> | ||
| - | WordPressProtect 15 | + | WordPressProtect throttle, 15 |
| </IfModule> | </IfModule> | ||
| or | or | ||
| <IfModule Litespeed> | <IfModule Litespeed> | ||
| - | WordPressProtect 0 | + | WordPressProtect throttle, 0 |
| </IfModule> | </IfModule> | ||
| Line 85: | Line 91: | ||
| <IfModule Litespeed> | <IfModule Litespeed> | ||
| - | WordPressProtect 0 | + | WordPressProtect throttle, 0 |
| </IfModule> | </IfModule> | ||
| Line 100: | Line 106: | ||
| |5|10|not set|10| | |5|10|not set|10| | ||
| |5|10|20|10| | |5|10|20|10| | ||
| + | |||
| + | ===== How to Enable LSWS WordPressProtect Feature on Plesk ===== | ||
| + | |||
| + | Everything should be same as cPanel. The only difference is in where to place the directives. | ||
| + | |||
| + | ==== Server-Level Configuration ==== | ||
| + | |||
| + | Edit the file ''/usr/local/psa/admin/conf/templates/custom/domain/domainVirtualHost.php''. | ||
| + | |||
| + | This file should be generated by the ''bash <(curl http://www.litespeedtech.com/packages/lscache/set_cache_root_policy.sh)'' script when you set up the cache root. If you haven't run it yet, please do so to enable cache root setup. | ||
| + | |||
| + | There are **two** blocks of the following code: | ||
| + | |||
| + | <code><IfModule Litespeed> | ||
| + | CacheRoot lscache | ||
| + | </IfModule></code> | ||
| + | |||
| + | We can insert the WordPressProtect code here, like so: | ||
| + | |||
| + | <code><IfModule Litespeed> | ||
| + | CacheRoot lscache | ||
| + | WordPressProtect throttle, 5 | ||
| + | </IfModule></code> | ||
| + | |||
| + | This will override the default server-level setting from ''10'' to ''5''. Be sure to run ''/usr/local/psa/admin/sbin/httpdmng --reconfigure-all'' to regenerate the configuration file, then ''/usr/local/lsws/bin/lswsctrl restart'' to restart LSWS so the new setting takes effect. | ||
| + | |||
| + | ==== Vhost-Level Setting ==== | ||
| + | |||
| + | {{ :litespeed_wiki:plesk:plesk-wp-protect.jpg |}} | ||
| + | |||
| + | In the Plesk domain page, as seen in the screenshot, navigate to **Apache & nginx Settings**, add the following directive in **Additional directives for HTTP** and **Additional directives for HTTPS**, then click **OK** or **Apply** to save it: | ||
| + | |||
| + | <code><IfModule Litespeed> | ||
| + | WordPressProtect throttle, 5 | ||
| + | </IfModule></code> | ||
| + | |||
| + | {{ :litespeed_wiki:plesk:plesk-wp-protect2.jpg |}} | ||
| + | |||
| + | Plesk users may also use `.htaccess` to override the server-level setting. | ||
| + | |||
| ===== Real Testing===== | ===== Real Testing===== | ||
| Line 184: | Line 230: | ||
| Brute force detected, throttle | Brute force detected, throttle | ||
| + | ===== Set "Trusted <ip>" in .htaccess to bypass the block and reCAPTCHA check ==== | ||
| + | |||
| + | Since LSWS 5.4RC1, LSWS added virtual host trusted IP support, where you use ''Trusted 1.2.3.4, 5.6.7.8'' for IPv4 or ''Trusted [2001:db8:85a3:8d3:1319:8a2e:370:7348]'' for IPv6 in Virtual Host document root .htaccess to unblock blocked IP and make that IP trusted for that vhost. | ||
| + | |||
| + | |||
| + | ===== Troubleshooting ===== | ||
| + | ==== WordPress Protection Block Never Seems to Expire === | ||
| + | |||
| + | Normally the WordPress protection block is expected to expire after 10 minutes, but a visitor is receiving constant 403 errors due to WordPress protection. The error log entry is as the following: | ||
| + | |||
| + | 2018-11-06 15:41:30.862784 [NOTICE] [24.96.xxx.xxx] bot detected for vhost [APVH_kevinandamanda.com], reason: WordPressBruteForce, close connection! | ||
| + | 2018-11-06 16:52:10.591124 [INFO] [108.162.237.188:58160] Client IP from header: 24.96.xxx.xxx, conn limit: 10000, cur conns: 13, access denied | ||
| + | 2018-11-06 16:54:10.851797 [INFO] [108.162.*.*:57936] Client IP from header: 24.96.xxx.xxx, conn limit: 10000, cur conns: 13, access denied | ||
| + | 2018-11-06 16:56:11.349033 [INFO] [108.162.*.*:57976] Client IP from header: 24.96.xxx.xxx, conn limit: 10000, cur conns: 13, access denied | ||
| + | 2018-11-06 16:58:11.819620 [INFO] [108.162.*.*:58196] Client IP from header: 24.96.xxx.xxx, conn limit: 10000, cur conns: 13, access denied | ||
| + | 2018-11-06 17:00:12.607042 [INFO] [108.162.*.*:58606] Client IP from header: 24.96.xxx.xxx, conn limit: 10000, cur conns: 13, access denied | ||
| + | 2018-11-06 17:02:13.371969 [INFO] [108.162.*.*:56922] Client IP from header: 24.96.xxx.xxx, conn limit: 10000, cur conns: 13, access denied | ||
| + | |||
| + | The visitor has been blocked for a few hours, and the block is removed after restarting LSWS. | ||
| + | |||
| + | The explanation: WP protection blocking is only removed if the IP stops access attempts for a full 10 minutes. If the visitor constantly hits the server, the blocking won't be lifted. Restarting the web server will remove all IP blocks immediately. | ||
| + | |||
| + | The bot-detection ''bot detected'' or ''WordPressBruteForce'' only log when a ''drop'' action is set. There won't be log entries for the ''deny'' and ''throttle'' actions. It is designed this way because ''drop'' is a more serious action, which blocks further requests from that IP (treated as unwanted botnet) and the log is for robot detection. | ||
| + | |||
| + | 2018-11-06 15:41:30.862784 [NOTICE] [24.96.xxx.xxx] bot detected for vhost [APVH_kevinandamanda.com], reason: WordPressBruteForce, close connection! | ||
| + | | ||
| + | Bot detection is one-time logging, while ''deny'' and ''throttle'' are per request, and it could become annoying with many repeated log messages. | ||