Apache mod_qos WordPress bruteforce mitigation

Hi, WordPress bruteforce attacks produce high cpu load
here some simple examples to get rid of that issue with mod_qos

Install apache module and enable it

apt install libapache2-mod-qos
a2enmod unique_id qos setenvif

For global mitigation, edit your apache module config

/etc/apache2/mods-enabled/qos.conf
<IfModule qos_module>
  # minimum request rate (bytes/sec at request reading):
  #QS_SrvRequestRate                                 120

  # limits the connections for this virtual host:
  #QS_SrvMaxConn                                     100

  # allows keep-alive support till the server reaches 600 connections:
  #QS_SrvMaxConnClose                                600

  # allows max 50 connections from a single ip address:
  #QS_SrvMaxConnPerIP                                 50

  # allows a single IP addess to access the URI /wp-login.php not more
  # than 10 times within 2 minutes:
  SetEnvIf Request_URI ^/xmlrpc.php LimitWpXmlRpc
  QS_ClientEventLimitCount 10 120 LimitWpXmlRpc
  SetEnvIf Request_URI ^/wp-login.php LimitWpLogin
  QS_ClientEventLimitCount 10 120 LimitWpLogin
</IfModule>

Per Virtualhost mitigation apache config

<IfModule qos_module>
  # limits concurrent requests to the locations:
  QS_LocRequestLimitMatch "^(/wp-login.php).*$" 2
  # does not allow more than 1 requests/sec:
  QS_LocRequestPerSecLimitMatch "^(/wp-login.php).*$" 1

  # limits concurrent requests to the locations:
  QS_LocRequestLimitMatch "^(/xmlrpc.php).*$" 2
  # does not allow more than 1 requests/sec:
  QS_LocRequestPerSecLimitMatch "^(/xmlrpc.php).*$" 1
</IfModule>

Have fun!

WordPress Gravatar Emoji Gutenberg Google Fonts Spyware

Hello

After viewing some of Richard Stallman’s interviews I decided to check this blog for spyware. I’ve found some major problems with WordPress and privacy.


First were the Gravatars. I’ve simply disabled them in WordPress settings.

Settings -> Discussion -> Avatar Display


Second were the Google Fonts in the template. I’m using as template sparkling. In the child-template I’ve disabled the fonts of the theme. I simply set my own local font in style.css.

https://colorlib.com/wp/forums/topic/remove-google-font/#post-113288


Third were the emoji’s.

Settings -> Writing -> Formatting -> Convert emoticons like :-) and :-P to graphics on display


Fourth and last is the Gutenberg Editor. It seems that WordPress uses in it’s core Google Fonts at least for the Gutenberg editor. I’ve found a plugin which does the job very well.

https://wordpress.org/plugins/disable-google-fonts/

Discussion on Github about WordPress core
https://github.com/WordPress/gutenberg/issues/11648


Have fun!