Brute Force Apache Log 503 Errors w/ Wordfence

  • Resolved oakley56fila

    (@oakley56fila)


    6 years, 5 months ago

    A few of my websites are being brute forced from time to time. Wordfence is doing a good job at blocking the IP, but what I’m seeing is that the IP address continues to hit the wp-login.php page and generates 503 errors in the Apache logs roughly every second. While this is taking place my server’s resource utilization shoots through the roof and it begins to cause OOM errors and dropping of services. When I block the offending IP (the one generating the 503 errors) in the server’s firewall, the server’s load reverts to normal and all is well again.

    Question: When Wordfence blocks an IP for brute forcing against the wp-login.php page does it serve up 503 errors to said IP?

    I’ve spoken with my server’s support techs on several occasions and they are recommending that I block bots and attempt to hide the wp-login.php file by moving it to a different location.

    Any insights would be extremely helpful, thank you.

Viewing 2 replies - 1 through 2 (of 2 total)

  • I’d like to make sure I’m understanding your situation correctly — are you continuing to see 503 responses related to an IP address that is already being blocked by Wordfence until you also add an IP block on the server? Also, just to confirm, have you already run through the Wordfence firewall optimization process (outlined here: https://www.wordfence.com/help/firewall/optimizing-the-firewall/)?

    When you go to Wordfence > Tools > Live Traffic, what are you seeing for requests for wp-login.php? There should be information about how Wordfence is handling blocking these requests.

    If you’re comfortable with moving wp-login, moving the page is not a bad idea for helping bring down the amount of server resources lost to attempts on the default path. If there isn’t any need to have users logging in to the system, you can also just block the wp-login.php path or whitelist it for known, trusted IP addresses. I would also recommend double-checking your settings at admin.php?page=WordfenceWAF&subpage=waf_options and make sure you have reasonable settings for login failures and time windows for attempts and length of time for blocking.

    Once you have Wordfence where you want it and have made any adjustments to the login page that you think are necessary, your server team may want to take a look at the overall performance of your server to make sure you’re not seeing resource exhaustion anywhere else as well. You may also want to check your caching strategies and look into other ways of offsetting server load, such as leveraging external caching through a CDN, which are great for helping reduce server load and a few offer useful additional tools and services as well.

    Please let me know if you have any further questions!

    Hello!

    I hope we were successful in helping you resolve your issue with Wordfence! Since we have not heard back from you in the past 2 weeks I will now be marking this support thread as resolved. However, if we still haven’t resolved your issue please reach out to us as we would be more than happy to further assist you!

    Thanks and have a great day!
    Chloe

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Brute Force Apache Log 503 Errors w/ Wordfence’ is closed to new replies.