CSF custom regex failed wordpress login

[inomi13]

I'm looking for solution how to permanent block IP after few failed login wordpress. My clients use several extensions to login wordpress so I need custom regex which is include all options.

I have below custom regex but I don't know why works only first parameter, parametr wp-login doesn't work. Maybe I should create if to each extension ?

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?: POST) \/login-page\/|wp-login.php.*" /)) {
return ("Failed Login Wordpress $lgfile",$1,"Wordpress","5","80,443,22,2323","1");
}

 

[inomi13]

I have found solution. If someone will look for custom regex with several values should use below code.

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?: POST) \/login-page\/.*" /) or ($line =~ /(\S+).*] "\w*(?: POST) \/wp-login\.php.*" /)){
return ("Failed Login Wordpress $lgfile",$1,"Wordpress","5","80,443,20,21,2323","1");
}

 

[kristian]

What is CUSTOM1_LOG? I'm assuming it's a webserver log. Wouldn't this just trigger on any requests to those URLs, and not just failed logins?

 

[BillyS]

CUSTOM1_LOG is something you configure in CSF (and it is a web log). You can have up to nine custom logs. And yes, it would trigger on any request, not just failed ones.

 

[Richard G]

(and it is a web log).

In this case yes. It doesn't need to be a web log.