12 December 2014
Comments: Comments Off on Blocking brute force attack against WordPress wp-login.php

Blocking brute force attack against WordPress wp-login.php

Using ModSecurity
You can add the below rules in your Apache configuration file. It will block the attacks.


# This has to be global, cannot exist within a directory or location clause . . .
        SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10011
                # Setup brute force detection. 
                # React if block flag has been set.
                SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"
                # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
                SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
                SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
                SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"

Using .htaccess
If you are on a shared hosting then you will not be able to edit the server configuration files. You can use .htaccess to block all access to wp-login.php file

Order allow,deny
Allow from xx.xx.xx.xx
Deny from all
Satisfy All

Replace xx.xx.xx.xx with your IP address. You don’t want to block yourself.

Comments are closed.