Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


LiteSpeed - Built-in WordPress brute force protection (new feature)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

LiteSpeed - Built-in WordPress brute force protection (new feature)

vovlervovler Member
edited December 2017 in General

A new feature has been introduced in LiteSpeed, wordpress bruteforce protection.
It works on wp-login and xmlrpc and drops the connection for X time after X failed login attempts.

Release log: https://www.litespeedtech.com/products/litespeed-web-server/release-log
Wiki: https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:wordpress-protection

If anyone has any means of testing this, how would this perform against a modsecurity rule, would it use more or less resources?

Also @Francisco could you test this against your in-house wordpress protection performance-wise?

Thanked by 1MikePT

Comments

  • MikeAMikeA Member, Patron Provider

    They aren't charging to use it with a normal license?..

  • FranciscoFrancisco Top Host, Host Rep, Veteran
    edited December 2017

    Mine needs a hand off so it's likely a tiny bit slower, but they still allow some activity hitting the PHP file which is going to burn CPU.

    My system requires interaction with a challenge page which means that if the user isn't validated (a bot that would have to have manually developed ways to trigger it) would always get served a static .html page.

    It's for sure a step forward but I get mountains of different IP's slamming away. The amount of proxies and other such things is insane. Most of my shared nodes get around 30,000 hits per day with a few of the ones with controversial sites (adult, political, etc) over 100,000 per day.

    Francisco

  • vovlervovler Member
    edited December 2017

    @MikeA said:
    They aren't charging to use it with a normal license?..

    You still need a LiteSpeed license to run LiteSpeed, it's not a wordpress plugin, it's supposed to be used to protect all websites in the server.

    Not sure if the feature will be or already is available in OpenLiteSpeed.

    Oh, yours asks for the challenge before even the first login attempt, right?

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    vovler said: Oh, yours asks for the challenge before even the first login attempt, right?

    Correct.

    Francisco

  • Host4GeeksHost4Geeks Member, Host Rep

    Hasn't ModSec been doing this for years?

    Thanked by 1doughmanes
  • @Host4Geeks said:
    Hasn't ModSec been doing this for years?

    In case you only read the title and the first paragraph.

    If anyone has any means of testing this, how would this perform against a modsecurity rule, would it use more or less resources?

    So to answer your question, YES. But its not about which did it first, rather which is more efficient (in case you are running LSWS).

    Obviously using both at the same time is useless. And since this new feature is active by default, you should disable it or the modsecurity rule.

  • Papi @Francisco the best.

  • ...and systemd ideology slowly infests everything else.

Sign In or Register to comment.