All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
OneSite catch up & WordPress Brute Force Attacks!?
Hi there,
It's been 4 months since we released OneSite and it's meeting all our expectations. We've already got various servers and several thousands of free clients, and have been constantly updating everything until we've become quite stable. We will release our PRO Plan within 3 months, and we expect to start being profitable from then on, after making this initial investment. Everything's really going as expected 
We therefore expect to be profitable from April on, after having been investing money from September 2016 until then. We wanted to prove that an initial investment on free hosting is more effective than an initial investment with a paid hosting brand straight away, due to the current market situation.
Anyway, I had some quick question. Most of the processes which are using the most CPU in our servers are WordPress related. Wp-admin.php is usually the king in the top processes if you take the daily process log of our servers at any given day. We've got the usual firewall set up and our servers also use CloudLinux and feature DDOS Protection. We also have cphulk which was designed to prevent brute force attacks. In addition, the POST requets don't seem to be showing signal of any kind of attack. Therefore, I'm not sure why this is happening.
I'm not sure if this issue is due to brute force attacks. Any ideas?
So that was it! Thanks for reading and for any possible help on the WP topic!!!
Comments
Could you please give some links to site which are running WP on your service?
Unfortunately, we cannot share this kind of information. The information of our clients (name, email, website etc) is theirs.
Take a look here:
https://onesite.co/community/
You can find customers websites easily.
@fvsegarra
Several thousands of free clients? Your nameservers return 268 domains:
http://whois.domaintools.com/axagame.net
Burned!
OP seems to be doing a good thing by providing free and not ad riddled services for community.
We've got 5700 clients registered right now at OneSite, to be precise
Many of these clients are pointing to OneSite though CloudFlare or similar.
We recently ran a dns report and around 2500 clients out of these 5700 are resolving to our server. More info regarding stats can be found here btw: https://onesite.co/community/index.php/735-let-s-do-it
In any case, we wanted to see how to reduce the resources used by WordPress clients haha
Where are your servers located? I visit some sites but so slow speed.
The only way I did stop wp-admin.php brute force attacs was to ad this to .htaccess:
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^46.9.xxx.xxx$ RewriteCond %{REMOTE_ADDR} !^31.220.xxx.xxx$ RewriteCond %{REMOTE_ADDR} !^91.189.xxx.xxx$ RewriteRule ^(.*)$ - [R=403,L] </IfModule>But of course very impracticable for your customers. I decided that I'm the only one with access to wp-admin, and the only person that can edit sites on my server.
Thats fine for my customers, but on your site, I don't think so.
But after this was added to each site, there was no more brute force attacks.
@fvsegarra maybe this site can give you some ideas to potentially try? https://www.bybe.net/ways-to-stop-wordpress-brute-force-attacks/ not my site but it seems to have lots of sugggestions
Unnecessary. Just add http auth and take care of bruteforce attacks at the webserver level rather than processing them through php/mysql.
Our servers are currently in the US, but we do plan on adding more locations.
Thanks a lot guys 
And alright, I've fwd this conversation to our tech team so that they all keep an eye on it. You're giving us very valuable suggestions on how to reduce WP load!!
Not topic releated however i think i have seen your name before, 2freehosting? Did you close that?
yep, a bit off topic, but I worked at 2FreeHosting a few years ago. It's part of Hostinger International. OneSite is my first serious and owned project
Yeah i noticed that. Well you know what they say right? Start small, grow big
Goodluck on achieving your goals!
Thanks a lot!
If you guys need anything I might be able to help with, do let me know too
Just wanted to second this.
Can you give an example? Where do I need to make that change?
An approach is to use fail2ban, see here about how to: https://www.lowendtalk.com/discussion/comment/701454/#Comment_701454
Note that the given rules might need tweaking for your situation / web server.
Edit: this is the current fail2ban filter set I am using, which includes the new WP REST API (JSON) and automatically blocks lots of IPs everyday:
jail.local
```[DEFAULT]
ignoreip = 127.0.0.1/8
Note that especially maxretry and bantime might need tuning in your situation to not lock out users to soon for a long time (3 days).
```[wordpress-auth]
enabled = true
port = http,https
filter = wordpress-auth
logpath = /var/log/nginx/access.log
```[wordpress-xmlrpc]
enabled = true
port = http,https
filter = wordpress-xmlrpc
logpath = /var/log/nginx/access.log
filter.d/wordpress-auth.conf
```[Definition]
failregex = ^ .* "POST ./wp-login.php. HTTP/." .$
ignoreregex =
filter.d/wordpress-xmlrpc.conf
```[Definition]
failregex = ^ .POST .xmlrpc.php.*
ignoreregex =
Something like htpasswd, that's what he meant I guess.
You seem to go the way of adding ever more software, tools, add ons - which actually increases the load on your server.
You want to make sure to deal with any kind of brute force attacks at the lowest level and as early as possible.
If you do it with, say, an add on or some php code ... the attack goes through the kernel, then the http server, then the fcgi engine, then the php interpreter. And whatever you do gets more expensive the later/higher up in the stack you do it.
Doing something in a php add on is thousands of times more expensive than doing it in the kernel!
My suggestion would be to create an "assholes" table in your firewall and to have some - preferably not php but C - program to tail the server logs and to scan it for trash/attacks, and to then block the offending IPs for some time by adding them to the fw's asshole table.
That is basically what fail2ban does, except that it is written in Python.
php or python, no big difference.
Such stuff is low level stuff and needs to be light on resources and cpu - which none of the major interpreted languages is.
But OK, it's certainly better than a wp add on.
Thank you @bsdguy! I've found a fellow dinosaur that is seemingly more stubborn and set in his ways than I am. We'll continue growing older and treating everything as if it were a nail. Now where's my hammer?!? ;-)
hehe, @BeardyUnixGuy
Dinosaur, yes (and ugly, too). But every problem a nail? Nope. I have a quite versatile toolset in my old stubborn head and on my disk.
And btw, I like python a lot. Just not for that kind of stuff (sensitive, time critical, resource sensitive).
You see, attacks nowadays usually contain at least some DOS part, so being quick and light is of the essence for such a tool.
In the end it's a race; your little VPS or dedi against millions of script kiddies out there who can shoot billions of packets at your box. In that situation one certainly doesn't want to have a factor 1000 lead-ball on ones legs (php or python script vs firewall) and one also does not want to waste memory (or threads, for that matter, with 8 MB stack a piece ...).
For those who hate (or don't know) a decent professional compiled language I'd at least recommend a look at lua. I don't use it myself but I've heard (credibly) that lua is fast and light (for an interpreted thingy).
I put my Shared Hosting behind pfSense + Snort + pfBlockerNG.
It does good I'ld say. I don't have that many sites on my server but I didn't get hacked once in the last 2 years. Even spam decreased.
fail2ban scans with Python, but the actual blocking is done with iptables.
I agree that the scanning part could be more efficient and faster, please do suggest a better alternative if you know one, but in the end it is a trade off between the CPU wasted by scanning and the CPU wasted by handing useless or even malicious calls to WordPress. In my experience using fail2ban reduces the overall CPU usage quite a lot, which is what the OP was searching for, as I understood it.
Full ack. Fail2ban is the way to go here.
Its script is not to be compared with filtering done by php as it is not called on every connection and not even via the webserver...
In addition certain general blocklists via ipset might help against different attacks...
I and likely the OP too would appreciate more details on this.
imho a good starting point would be: https://github.com/trick77/ipset-blacklist
lots of different maintained blocklist to use depending on what you want to achieve: https://github.com/firehol/blocklist-ipsets
there also is an older howto in the tutorial section if I am not mistaken... just too lazy to search right now ;-)
For your clients using WordPress, recommend or set up for them the following free plugin:
https://wordpress.org/plugins/wordfence/Or set up password protection for the login page and others.
I also use modsec and CSF firewall rules.
Good luck.
I setup a logfile in nginx.conf that logs certain things to /var/log/nginx-blocked.log and I have fail2ban monitor that file and ban scan attempts, people trying to access admin pages, etc.