I am running a Wordpress site on digital ocean droplet, and the droplet is running CentOS with CWP. Website is new so it has very low amount of genuine traffic, on average it has around 3-5 visitors per day. However, the site is under attack since last couple of weeks.

I receive almost daily an email notification by lfd service, about "Excessive process running under user XYZ". A second email, with title "High 5 minute load average alert" right after that.

Sample Line from First Email: (last notification email has around 143 process count with status not killed)

User:XYZ PID:29096 PPID:26959 Run Time:58(secs) Memory:230140(kb) RSS:10104(kb) exe:/usr/local/bin/php-cgi cmd:/usr/local/bin/php-cgi /home/XYZ/public_html/wp-login.php

Second email contains output from different commands ps.txt, vnstat.txt, netstat.txt, apachestatus.html

In the last notification email, there's an error in all files, except apachestatus.html. The error message is, "Unable to obtain SERVICE_NAME output within 10 seconds - Timed out".

In the apachestatus file, I can see 243 idle threads at wp-login.php from single IP.

My questions are:

  1. What is the default time to drop idle connections?
  2. Is there any way to drop idle connections quicker than that? (maybe default time is good, but it is still causing issue in my case so I want to reduce it further)
  3. How can I limit simultaneous requests from certain IP? (to restrict open connection limit to 10 or maybe 20)
  4. What is the best way to handle this and protect server from these type of attacks? (any relevant tool or technique)
  • 97
  • 1
  • 8
  • This is very difficult to do in a web server as typical web pages require multiple connection for related content. You may be able to mitigate this with judicious use of fail2ban and caching in WordPress. Also look through the logs and see what is generating the traffic - if its legit robots a robots.txt file can help – davidgo Jun 02 '20 at 09:05
  • Apache will be using an MPM module. Find which one and you can tune its config to limit requests. IMHO not a great idea though. Have you – davidgo Jun 02 '20 at 09:08
  • Rereading your post, if its a brute force on wp-login.php use faol2ban or a plugin to change this URL. – davidgo Jun 02 '20 at 09:08
  • @davidgo thanks for your suggestion. I have checked fail2bin and that seems a good option. As I am already using csf/lfd, can I use fail2bin with that? Also, do I just need to install and configure basic options (bantime, maxretry, etc) and I would be ready to go OR is there any other configuration? How do I cache wordpress? – Alena Jun 02 '20 at 09:53
  • @davidgo usually the requests are for wp-login.php, but sometime they are for homepage (index.php). I think, redirection is not a solution. – Alena Jun 02 '20 at 10:04
  • Redirection? I don't believe I mentioned redirection. When I was talking about a plugin to change this URL I'm talking about a plugin to change the address for wp-login.php. (There are a few of them about. Do a plugin search for "wp-login change" in Wordpress. ) – davidgo Jun 02 '20 at 10:15
  • sorry, I mistakenly used "redirection" word. I got your point, and this can prevent brute force attempts on login page, but I think, I need another solution as there are attacks to other pages. – Alena Jun 02 '20 at 10:25
  • Maybe Wordfence plugin can help you? "In Wordpress" solutions don't belong here, they belong in wordpress.stackexchange.com – davidgo Jun 02 '20 at 10:30

1 Answers1


The below is really just an answer to address your Fail2Ban comment/question - I could not answer with sufficient depth as a comment.

To use fail2ban requires more then just basic options. Here is my "secret sauce"


# Fail2Ban configuration file
# Author: Tim Connors
# Tweeked by David Go


# Option:  failregex
# Notes.:  Regexp to catch Apache dictionary attacks on Wrodpress wp-login
# Values:  TEXT
#failregex = <HOST>.*] "POST /wp-login.php

#failregex = :80 <HOST> -.*"(GET|POST).*/wp-login.php
#            :443 <HOST> -.*"(GET|POST).*/wp-login.php

failregex = :80 <HOST> -.*(GET|POST).*/wp-login.php.*(HTTP)
            :443 <HOST> -.*(GET|POST).*/wp-login.php.*(HTTP)



# Option:  failregex
# Notes.:  Regexp to catch xmlrpc attacks on Wordpress
# Values:  TEXT

 failregex = :80 <HOST>\ -.*(GET|POST).*/xmlrpc\.php.*(HTTP)
            :443 <HOST>\ -.*(GET|POST).*/xmlrpc\.php.*(HTTP)

Additional lines in jail.local for the above:

# Short term lockout for Wordpress Brute Force
logpath = /var/log/apache2/other_vhosts_access.log
maxretry = 8
bantime = 300
findtime = 300
enabled = true

Note that my Apache is logging in "combined" format from outside VirtualHost directives - I have config lines:

# Define an access log for VirtualHosts that don't define their own logfile

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined    
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined
  • 5,964
  • 2
  • 21
  • 38
  • thank you @davidgo, can you confirm that there won't be any compatibility issues while using CSF/LFD and fail2ban in parallel? – Alena Jun 02 '20 at 10:26
  • No idea, sorry. Never heard of CSF/LFD until I googled it just now. Fail2Ban typically manipulates IPTables, so if it does not conflict with other iptables rules it should work (and fail2ban is a fairly good neighbour - it works fine for my custom iptables rules). If it does, you could change the action to ban to hook into CSF/LFD. – davidgo Jun 02 '20 at 10:33