How We Protected WordPress From Brute Force Attacks
WordPress websites are popular targets for vulnerability scans and brute force attacks. According to sucuri.net they block about 40k WordPress login attempts per day.
With growing number of WordPress websites on our shared hosting servers we also expereinced bigger and bigger amount of brute force requests to /wp-login.php. Those requests consume traffic, CPU cycles and pose security risk to websites hosted on our servers.
To protect our clients from brute force attacks we implemented protection for all our web hosting accounts. We used set of ModSecurity rules to restrict access to /wp-login.php after multiple failed login attempts.
How it works: after 5 login attepts IP address is blocked for 600 seconds from /wp-login.php and error 401 is returned.
How can I protect my cPanel/WHM server from WP Brute Force?
1) Enable and compile ModSecurity module via EasyApache.
2) Add the following code to file /etc/httpd/conf/modsec2.user.conf
SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 10 minutes, more than 5 login attempts in 3 minutes.',id:400002"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,log,pass,setvar:ip.bf_counter=0,id:400003"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,log,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:400004"
SecRule ip:bf_counter "@gt 5" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=600,setvar:ip.bf_counter=0"
ErrorDocument 401 default
"status:401" - return code 401 to requests that come from blocked IPs
"bf_block=600" - set block time to 600 seconds (10 mins)
"@gt 5" - block IP after 5 failed login attempts
3) Restart Apache web server.
# service httpd restart
4) Now you can see IP addresses blocked by ModSecurity in WHM >> ModSecurity™ Tools.