Question about Crowdsec and Wordpress

Hi there,

I just read your announcement of the wordpress bouncer: Protect your WordPress sites with CrowdSec - Security Automation based on behavior & reputation and then i had a look at your plugin: CrowdSec – WordPress plugin |

I am just wondering if this is really the “ideal” way to handle things, seeing that the connections are made to wordpress, PHP gets loaded and then the plugin says “captcha” or “block”.

Would it not be more resource friendly to use a plugin like this one: WP fail2ban – Advanced Security Plugin – WordPress plugin | which simply logs all login attempts – including via XML-RPC, whether successful or not, to syslog using LOG_AUTH and then have a crowdsec parser check the logs and handle it with any bouncer you like?

The benefit of the second method is that if an IP is blocked, there won’t be any traffic as the blacklisted IP will be blocked before it even hits PHP.

I was using the method I described with fail2ban before I discovered crowdsec so I was wondering if this method sounds like something you might implement in your plugin - i.e. enable logging to syslog + wordpress parser? This way one could chose between the methods?

There are already bouncers to do that.
The advantage of the wordpress bouncer is to be able to ask for a captcha and to not completly block the IP.
The other advantage is if you are behind a proxy / loadbalancer and you can’t block directly on the front server. Then blocking on the firewall is not possible, but you can use the wordpress bouncer.

To make it simple.

  • You want / can block on the firewall, use the firewall-bouncer.
  • You cant / don’t want to block on the firewall, you want to ask for a captcha, use the wordpress bouncer.

OK, sure, but to keep using another bouncer I still need a plugin like I linked to so that wordpress logs authentications to syslog.

Will the existing parsers pick those logs up? Which one exactly?
Apparently those logs would look like this:

Oct 17 20:59:54 foobar wordpress([1234]: Authentication failure for admin from
Oct 17 21:00:00 foobar wordpress([2345]: Accepted password for admin from

The wordpress plugin is a bouncer, not a parser…
He will connect to your local api to get the IP to block.
And to build that list you need to install crowdsec with the wordpress collection/scenario.
The crowdsec scenarios for WP read the apache logs and try to find too many POST on wp-login.php

  • I know the WP plugin is a bouncer. I said so in my first post.
  • I understand how the WP plugin works together with crowdsec

I’m more interested in the second screnario I mentioned:

Afaik the web server only logs a successful access to wp-login.php and NOT whether the login was successfull or failed, right?

sample log file:
84.185.xx.xx - - [05/Mar/2021:13:03:14 +0100] "POST /wp-login.php HTTP/1.1" 200 2154 "https://www.domain.tld/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"

so now back to my scenario:

  • I use the plugin I mentioned which logs authentication failures to syslog. Is there a parser which could pick those up as I wish to NOT use the crowdsec WP plugin and instead use the default crowdsec bouncer.
  • Of course if would be awesome if the official crowdsec WP plugin could also add the functionality to log login failures to syslog as an option

This is planned yes :slightly_smiling_face:

1 Like

You have to write your own parser for that.
In wich file are thoses logs written ?

It logs to syslog - if it will be implemented into the crowdsec WP plugin it could also go to auth.log I guess?

I cannot give a timeline yet because the web team is focused on other topics, but yes we want to add to add logging features to crowdsec’s WP plugin, so that it can help detect more attacks that what we can do from simply crunching logs.

If you have some more specific ideas in mind, please don’t hesitate, suggestions are welcome :slight_smile:

1 Like

no pressure, happy you guys are working on it.