add login failed logging rule

theMiddleBlue · theMiddleBlue · commit 75a4e1d51032 · 2018-08-09T12:52:35.000+02:00
diff --git a/04-EVENTS.conf b/04-EVENTS.conf
@@ -40,4 +40,22 @@ SecRule RESPONSE_STATUS "@eq 302" "phase:3,id:22110013,nolog,chain,pass"
         tag:'logout',\
         msg:'WordPress: User logged out'"
 
+SecRule &RESPONSE_HEADERS:Set-Cookie "@eq 1" "phase:3,id:22110014,nolog,chain,pass"
+  SecRule &RESPONSE_HEADERS:Location "@eq 0" "id:22110014,nolog,chain"
+    SecRule REQUEST_METHOD "^POST$" "id:22110014,t:uppercase,nolog,chain"
+      SecRule &ARGS_POST_NAMES:log "@ge 1" "id:22110014,t:lowercase,nolog,chain"
+        SecRule &ARGS_POST_NAMES:pwd "@ge 1" "id:22110014,t:lowercase,nolog,chain"
+          SecRule REQUEST_FILENAME "^/wp\-login\.php" "id:22110014,t:lowercase,\
+            log,\
+            rev:'1',\
+            severity:'6',\
+            maturity:'9',\
+            accuracy:'9',\
+            ver:'%{tx.wprs_version}',\
+            tag:'wordpress',\
+            tag:'login',\
+            tag:'failed',\
+            logdata:'Login failed with username: %{ARGS_POST:log}',\
+            msg:'WordPress: Login failed'"
+
 SecMarker END_WPRS_LOG_AUTH
