Avoid brute force for wordpress
Not only it poses a security risk by hackers/bots trying to break into your wordpress install but also for a system admin it’s a nightmare because it may increase the server load.
A solution would be to install a wordpress extension like wp security and configure it to hide the admin panel.
Because not always the server admin is allowed to play with the wordpress websites on server there is another solution using mod security.
After mod security is installed via easyapache, you can edit /local/conf/modsec2.user.conf and place
SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp
SecRequestBodyAccess On
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=3000,setvar:ip.bf_counter=0"
ErrorDocument 401 default
Then simply restart apache