Find IP has attacked wp-login

By | 10 April 2013

This shell command can be used on cPanel servers and does the following:
– Scans all access log files for IP addresses which sent a POST request to all wp-login.php files on all domains/subdomains/addon domains on the server during the last 24 hours
– It groups and sorts all the IP addresses, based on the number of POST requests they sent

So if you see that an IP address has sent an abnormal number of POST requests to wp-login.php files, you can ban it from your firewall. From our experience and stats, a normal number of POST requests to wp-login.php files from a single IP address is 4-5 per day. Anything above 15 is suspicious.

grep -R “wp-login.php” /usr/local/apache/domlogs/* | grep “POST” | awk -F: ‘{ print $2 }’ | awk ‘{print $1}’ | sort | uniq -c | sort -n