atmosphear

<p>Send an “HTTP/1.1 403 Forbidden” header on a failed login instead of “HTTP/1.1 200 OK”, which is the WordPress default header on failed login. This is a tremendously simple plugin that does only that and absolutely nothing else.</p>
<p>The purpose of this plugin is to provide a way to allow external tools like fail2ban to get a message of a failed login e.g. to prevent a brute-force attack on a firewall level.</p>
<p>For the public domain.</p>
<p>Uses PHP5.3 anonymous functions and will not work on earlier versions of PHP</p>


HTTP/1.1 403 Forbidden header on a failed login

Send an "HTTP/1.1 403 Forbidden" header on a failed login instead of the default "HTTP/1.1 200 OK"

Federico Rota

<p>This plugin writes the log of failed access attempts (brute force attack) and invalids pingbacks requests ( by xmlrpc.php ). Very useful to process data via fail2ban.<br />
You can activate the log for each pingback request feature and stop the user enumeration method (by redirecting to the home) with log.<br />
If activated it remove the wordpress version number and meta generator in the head section of your site.<br />
If activated it disable xmlrpc methods that require authentication, in order to avoid brute force attack by xmlrpc. Use this feature if you don’t need these xmlrpc methods.<br />
If activated can kill multiple requests in a single xmlrpc call returning a 401 code on xmlrpc login error. This feature may be useful to prevent server overloading on brute force attack by xmlrpc.<br />
You can also view your CUSTOM error log in the admin panel.</p>
<h4>You can write error by</h4>
<ol>
<li>SYSLOG</li>
<li>APACHE ERROR_LOG</li>
<li>CUSTOM a custom error log file (the used path need to be writable or APACHE ERROR LOG wil be used)</li>
</ol>
<h4>Log examples</h4>
<ul>
<li>
<p>SYSLOG</p>
<pre><code>Dec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: Authentication failure on [`WORDPRESS_SITE_NAME`] for `USED_LOGIN` from `111.222.333.444`
Dec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: Pingback error `IXR_ERROR_CODE` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`
Dec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: Pingback requested for `PINGBACK_URL` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`
Dec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: User enumeration attempt generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`
</code></pre>
</li>
<li>
<p>APACHE</p>
<pre><code>[Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) Authentication failure on [`WORDPRESS_SITE_NAME`] for `USED_LOGIN` from `111.222.333.444`, referer: SITE_ADDRESS/wp-login.php
[Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) Pingback error `IXR_ERROR_CODE` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`, referer: SITE_ADDRESS/xmlrpc.php
[Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) Pingback requested for `PINGBACK_URL` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`, referer: SITE_ADDRESS/xmlrpc.php
[Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) User enumeration attempt generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`
</code></pre>
</li>
<li>
<p>CUSTOM</p>
<pre><code>[Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) Authentication failure on [`WORDPRESS_SITE_NAME`] for `USED_LOGIN` from `111.222.333.444`
[Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) Pingback error `IXR_ERROR_CODE` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`
[Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) Pingback requested for `PINGBACK_URL` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`
[Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) User enumeration attempt generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`
</code></pre>
</li>
</ul>
<h4>fail2ban configuration</h4>
<p>See the FAQ section</p>
<h4>Log viewer</h4>
<p>Log viewer is available only in CUSTOM mode. Note: the log path and the file must exist.</p>
<h4>Localization</h4>
<ul>
<li>English (default) – always included</li>
<li>Italian – since 1.1.3 version</li>
</ul>
<h3>Translations</h3>
<ul>
<li>English – default, always included</li>
<li>Italiano – disponibile dalla versione 1.1.3</li>
</ul>
<p><em>Note:</em> Feel free to translate this plugin in your language. This is very important for all users worldwide. So please contribute your language to the plugin to make it even more useful. For translating I recommend the <a href="http://www.poedit.net/" rel="nofollow ugc">“Poedit Editor”</a>.</p>


Authentication and xmlrpc log writer

Log of failed access, pingbacks, user enumeration, disable xmlrpc authenticated methods, kill xmlrpc request on authentication error.

HTTP/1.1 403 Forbidden header on a failed login vs Authentication and xmlrpc log writer