This bash one line script will search through all of the domain names in /usr/local/apache/domlogs/, removes all of the FTP logs and then counts up the number of hits per wp-login.php and xmlrpc.php unique URL per IP. This is great for showing customers that their WordPress sites are being brute forced or used for WordPress xmlrpc.php attacks.

Search for known WP brutes and print them out.

fgrep -s -e wp-login -e xmlrpc /usr/local/apache/domlogs/* | grep -v ftp | grep -v 404 | awk '{print $1 " " $7}' | sort | uniq -c | sort -rn | head -n 10

Faster Version of the above check that also installs parallel

rpm -qa | grep wt-parallel || rpm -i http://updates-vps.wiredtree.com/centos/4/wt-extra//noarch/wt-parallel-20141122-1.noarch.rpm && find /usr/local/apache/domlogs/*/* -name "*"| parallel --no-notice -X -j4 fgrep -e wp-login -e xmlrpc {}|grep -v "ftp\|404" | awk '{print $1 " " $7}' | sort | uniq -c | sort -rn | head -n 10

Search for brute force attempts via the node using parallel

rpm -qa | grep wt-parallel || rpm -i http://updates-vps.wiredtree.com/centos/4/wt-extra//noarch/wt-parallel-20141122-1.noarch.rpm && find /vz/private/*/fs/root/usr/local/apache/domlogs/ -maxdepth 1 -name "*"| parallel --no-notice -X -j4 fgrep -e wp-login -e xmlrpc {}|grep -v ftp | grep -v 404|awk '{print $1 " " $7}' | sort | uniq -c | sort -rn | head -n 20