Avoid brute force for wordpress

Not only it poses a security risk by hackers/bots trying to break into your wordpress install but also for a system admin it’s a nightmare because it may increase the server load.

A solution would be to install a wordpress extension like wp security and configure it to hide the admin panel.

Because not always the server admin is allowed to play with the wordpress websites on server there is another solution using mod security.
After mod security is installed via easyapache, you can edit /local/conf/modsec2.user.conf and place
SecUploadDir /tmp SecTmpDir /tmp SecDataDir /tmp


SecRequestBodyAccess On
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134



# Setup brute force detection.
 # React if block flag has been set.

SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
 # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.

SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"

SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"

SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=3000,setvar:ip.bf_counter=0"

ErrorDocument 401 default

Then simply restart apache

Ecommy

your ecommerce friend

² Navigation

Avoid brute force for wordpress

Recent Posts

Recent Reviews

ecommy CTO