We are seeing a lot of WordPress wp-login.php brute force attack these days. In this tutorial I will explain how to stop wp-login.php attack on a cPanel server.You can also simply install any WordPress security plugin to stop brute force attack.
If your server hosts numerous WordPress websites, then in some cases its not possible to install a WordPress security plugins on every WordPress website. Here is how you can protect your server from wp-login.php brute force attack.
- Mod Security Apache Module: If you do not have mod_security Apache module installed on the server, run Easy Apache from WHM with mod_security selected.
- Installed ConfigServer Firewall on the server.
Mod Security Configuration:
Login to your WHM server as an root user.
Navigate to:
WHM Home >> Plugins >> Mod Security
Click Edit Config button located at top. This will open Mod_Security configuration page.
Add below code at the bottom of page and click Save Configuration button.
# Start wp-login.php brute attack
SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp
SecRequestBodyAccess On
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:
user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:
'IP address blocked for 20 minutes, more than 3 login attempts in 10
minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:
ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,
setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/600,id:5000137"
SecRule ip:bf_counter "@gt 3" "t:none,setvar:user.bf_block=1,
expirevar:user.bf_block=1200,setvar:ip.bf_counter=0"
</locationmatch>
ErrorDocument 401 default
# End wp-login.php brute attack
Now Navigate to:
WHM Home >> Plugins >> ConfigServer Security & Firewall
Click Firewall Configuration button. Now in configuration page set value of LF_MODSEC to 5
Restart CSF Firewall.
Done!