alzabo/xmlrpc-distributed-brute-defense.conf

## xmlrpc-distributed-brute-defense.conf
# These rules are designed to be effective versus /distributed/ brute force
# attacks. While they will function just as well against attacks which are
# /not distributed/ they will deny access to all XML-RPC method calls
# namespaced with the prefix "wp."
#
# An IP-based version of these rules may be more appropriate for sites which
# attacked from just a few distinct IP addresses.
#
# See http://alzabo.io/modsecurity/2014/09/15/wordpress-xml-rpc-brute-force.html
# for additional information
#
# SecDataDir is probably better configured as something other than
# /tmp. It merely needs to be a directory to which the web server
# daemon can write
SecDataDir /tmp

SecResponseBodyAccess On
SecResponseBodyLimitAction ProcessPartial
SecResponseBodyMimeType text/xml

# SecStreamInBodyInspection requires ModSecurity 2.6.0 or greater
SecStreamInBodyInspection On

SecAction "phase:1,nolog,pass,id:19300,\
    initcol:RESOURCE=%{SERVER_NAME}_%{SCRIPT_FILENAME}"

<FilesMatch "xmlrpc.php">
    SecRule RESPONSE_BODY "faultString" "id:19301,nolog,phase:4,\
        t:none,t:urlDecode,setvar:RESOURCE.xmlrpc_bf_counter=+1,\
        deprecatevar:RESOURCE.xmlrpc_bf_counter=1/300,pass"

    SecRule STREAM_INPUT_BODY "<methodCall>wp\." "id:19302,log,chain,\
        deny,status:406,phase:4,t:none,t:urlDecode,\
        msg:'Temporary block due to multiple XML-RPC method call failures'"

    SecRule RESOURCE:xmlrpc_bf_counter "@gt 4" "t:none,t:urlDecode,\
        t:removeWhitespace"
</FilesMatch>
	# These rules are designed to be effective versus /distributed/ brute force
	# attacks. While they will function just as well against attacks which are
	# /not distributed/ they will deny access to all XML-RPC method calls
	# namespaced with the prefix "wp."
	#
	# An IP-based version of these rules may be more appropriate for sites which
	# attacked from just a few distinct IP addresses.
	#
	# See http://alzabo.io/modsecurity/2014/09/15/wordpress-xml-rpc-brute-force.html
	# for additional information
	#
	# SecDataDir is probably better configured as something other than
	# /tmp. It merely needs to be a directory to which the web server
	# daemon can write
	SecDataDir /tmp

	SecResponseBodyAccess On
	SecResponseBodyLimitAction ProcessPartial
	SecResponseBodyMimeType text/xml

	# SecStreamInBodyInspection requires ModSecurity 2.6.0 or greater
	SecStreamInBodyInspection On

	SecAction "phase:1,nolog,pass,id:19300,\
	initcol:RESOURCE=%{SERVER_NAME}_%{SCRIPT_FILENAME}"

	<FilesMatch "xmlrpc.php">
	SecRule RESPONSE_BODY "faultString" "id:19301,nolog,phase:4,\
	t:none,t:urlDecode,setvar:RESOURCE.xmlrpc_bf_counter=+1,\
	deprecatevar:RESOURCE.xmlrpc_bf_counter=1/300,pass"

	SecRule STREAM_INPUT_BODY "<methodCall>wp\." "id:19302,log,chain,\
	deny,status:406,phase:4,t:none,t:urlDecode,\
	msg:'Temporary block due to multiple XML-RPC method call failures'"

	SecRule RESOURCE:xmlrpc_bf_counter "@gt 4" "t:none,t:urlDecode,\
	t:removeWhitespace"
	</FilesMatch>