03-BRUTEFORCE.conf

# tx.wprs_bruteforce_timespan
# tx.wprs_bruteforce_banperiod
# tx.wprs_bruteforce_threshold

SecRule tx:wprs_check_bruteforce "@eq 0" \
  "phase:1,\
  id:22100001,\
  pass,\
  nolog,\
  skipAfter:END_WPRS_BRUTEFORCE"

SecRule tx:wprs_check_bruteforce "@eq 0" \
  "phase:2,\
  id:22100002,\
  pass,\
  nolog,\
  skipAfter:END_WPRS_BRUTEFORCE"

SecRule tx:wprs_check_bruteforce "@eq 0" \
  "phase:3,\
  id:22100003,\
  pass,\
  nolog,\
  skipAfter:END_WPRS_BRUTEFORCE"

SecMarker BEGIN_WPRS_BRUTEFORCE

SecAction "phase:1,id:22100011,nolog,pass,initcol:ip=%{tx.wprs_client_ip}"

SecRule REQUEST_METHOD "^POST$" "phase:2,id:22100012,t:uppercase,nolog,pass,chain"
  SecRule REQUEST_FILENAME "^/wp\-login\.php$" "phase:2,id:22100012,nolog,chain"
    SecRule &IP:wprs_login_attempt "@eq 0" "id:22100012,nolog,chain"
      SecRule &ARGS_POST_NAMES:log "@ge 1" "phase:2,id:22000012,\
        log,\
      	rev:'1',\
      	severity:'6',\
      	maturity:'9',\
      	accuracy:'9',\
      	ver:'%{tx.wprs_version}',\
      	tag:'wordpress',\
      	tag:'login',\
        skipAfter:END_WPRS_LOGIN_INCREMENT,\
        setvar:ip.wprs_login_attempt=1,\
      	expirevar:ip.wprs_login_attempt=%{tx.wprs_bruteforce_timespan},\
      	logdata:'Count: %{ip.wprs_login_attempt} / Timespan: %{tx.wprs_bruteforce_timespan} / User: %{ARGS_POST:log}',\
        msg:'WordPress: Login Attempt'"

SecMarker BEGIN_WPRS_LOGIN_INCREMENT

SecRule REQUEST_METHOD "^POST$" "phase:2,id:22100013,t:uppercase,nolog,pass,chain"
  SecRule REQUEST_FILENAME "^/wp\-login\.php$" "phase:2,id:22100013,nolog,chain"
    SecRule IP:wprs_login_attempt "@lt %{tx.wprs_bruteforce_threshold}" "id:22100013,nolog,chain"
      SecRule IP:wprs_login_attempt "@ge 1" "id:22100013,nolog,chain"
        SecRule &ARGS_POST_NAMES:log "@ge 1" "phase:2,id:22000013,\
          log,\
      	  rev:'1',\
      	  severity:'INFO',\
      	  maturity:'5',\
      	  accuracy:'6',\
      	  ver:'%{tx.wprs_version}',\
      	  tag:'wordpress',\
      	  tag:'login',\
          setvar:ip.wprs_login_attempt=+1,\
          logdata:'Count: %{ip.wprs_login_attempt} / Timespan: %{tx.wprs_bruteforce_timespan} / User: %{ARGS_POST:log}',\
          msg:'WordPress: Login Attempt'"

SecMarker END_WPRS_LOGIN_INCREMENT

# Ban IP if login attempts == bruteforce threshold
SecRule IP:wprs_login_attempt "@eq %{tx.wprs_bruteforce_threshold}" "id:22100014,log,block,\
  setvar:ip.wprs_login_attempt=+1,\
  setvar:ip.wprs_bruteforce_banuntil=%{TIME_EPOCH},\
  setvar:ip.wprs_bruteforce_banuntil=+%{tx.wprs_bruteforce_banperiod},\
  rev:'1',\
  severity:'WARNING',\
  maturity:'5',\
  accuracy:'6',\
  ver:'%{tx.wprs_version}',\
  tag:'wordpress',\
  tag:'login',\
  logdata:'Ban IP Address %{tx.wprs_client_ip} until timestamp %{ip.wprs_bruteforce_banuntil}',\
  msg:'WordPress: Too many login attempts'"

# Too many logins attempts
SecRule IP:wprs_login_attempt "@gt %{tx.wprs_bruteforce_threshold}" "id:22100016,log,block,\
  rev:'1',\
  severity:'CRITICAL',\
  maturity:'5',\
  accuracy:'6',\
  ver:'%{tx.wprs_version}',\
  tag:'wordpress',\
  tag:'login',\
  logdata:'Blocked IP Address %{tx.wprs_client_ip} until timestamp %{ip.wprs_bruteforce_banuntil}',\
  msg:'WordPress: Too many login attempts'"

# Remove IP from Ban status if ban period expired
SecRule IP.wprs_bruteforce_banuntil "@lt %{TIME_EPOCH}" "id:22100015,log,pass,\
  setvar:ip.wprs_login_attempt=0,\
  setvar:ip.wprs_bruteforce_banuntil=9999999999,\
  rev:'1',\
  severity:'INFO',\
  maturity:'5',\
  accuracy:'6',\
  ver:'%{tx.wprs_version}',\
  tag:'wordpress',\
  tag:'login',\
  logdata:'IP: %{tx.wprs_client_ip}',\
  msg:'WordPress: Ban Expired'"



SecMarker END_WPRS_BRUTEFORCE