I am guessing if you’re running any sort of reasonable VPS you have fail2ban or something similar to stop too many hits on xmlrpc and login attempts. As we’ve all seen too many hits on these URLs and it eats all your CPU up, and your site either slows or crashes.
We use haproxy in front of our hosting stack. It does many jobs for us, including DDoS defense.
Of course we have mod_security and a fail2ban type scripts to ban repeat offenders. But this solution is more scalable, uses less resources, and can catch the first hack attempt.
Our solution is to:
The idea is most bots/attackers with either think the webserver is broken, or the delay is so large , if they are iterating a list or something 4 seconds slow down is fairly large.
Real users aren’t usually delayed. If they surf to /wp-admin/ first, and redirected to the login page, they’ll have a tcp session already as part of keep-alive.
Of course we have mod_security and a fail2ban type scripts to ban repeat offenders. But this solution has a few unique advantages:
Here is our haproxy recipe for xmlrpc and login attempts
#this wont delay all traffic
tcp-request inspect-delay 4s
# create an acl to hold trouble requests
acl trouble path_beg -i /xmlrpc.php
acl trouble path_beg -i /wp-login.php
# if your no trouble, dont wait
tcp-request content accept unless trouble
# if you are trouble, we'll wait the whole 4seconds inspection time
tcp-request content accept if WAIT_END