Skip to content

Protecting WordPress with mod-security

This my blog and also other hosted websites running WordPress are target of bots trying passwords to wordpress admin and posting spam comments. I was unable to found simple plugin for comments dns blacklist, so I focused to mod-security.

This apache module is already packed in all common linux distributions. Problem is, that default rules are so huge and complicated. For example in debian after

apt-get install libapache-mod-security
a2enmod mod-security

installation like this, default rules will cause you many troubles with your websites. Default installation is useless..

I have deleted all default rules in /etc/apache2/mod-security/rules and my mod-security.conf contains only

SecDebugLog /var/log/apache2/mod-security.log
SecDebugLogLevel 1

# wp-login
# This has to be global, cannot exist within a directory or location clause . . .
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR}
<Locationmatch "/wp-login.php">
         # Setup brute force detection.
         # React if block flag has been set.
         SecRule user:bf_block "@gt 0" "deny,status:403,log,msg:'ip address blocked for 15 minutes, more than 15 login attempts in 5 minutes.'"
         # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
         SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0"
         SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/300"
         SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=900,setvar:ip.bf_counter=0"



#comments blacklist

SecAction "id:400000,phase:1,initcol:IP=%{REMOTE_ADDR},pass,nolog"
SecRule IP:spam "@gt 0" "id:400001,phase:1,chain,drop,msg:'Spam host %{REMOTE_ADDR} already blacklisted'"
SecRule REQUEST_METHOD "POST" chain
SecRule REQUEST_URI "\/wp-(comments-post|trackback).php"
SecRule REQUEST_METHOD "POST" "id:'400010',chain,drop,log,msg:'Spam host detected by zen.spamhaus.org'"
SecRule REQUEST_URI "\/wp-(comments-post|trackback).php" chain
SecRule REMOTE_ADDR "@rbl zen.spamhaus.org" "setvar:IP.spam=1,expirevar:IP.spam=604800"

First rule protect from password guessting attacks to wp-login. Simple rate limit.
Second rule protects wordpress comments from spam, blocks comments from IPs on DNS blacklist zen.

I have found this rules on some blogs and they are very usefull and effective.
Now all wordpress sites on my server are protected.

1 thought on “Protecting WordPress with mod-security”

Leave a Reply

Your email address will not be published. Required fields are marked *