There are many plugins out there that protect a WordPress website from Brute Force attacks. The problem is, they are very resource intensive since they run through PHP. Not to mention, having to load a plugin for every single WordPress site on a server causes even more strain on the server and is not an efficient way to protect you and your clients from Brute Force attacks

There are two popular WordPress brute force attacks. One aimed at hitting the wp-admin and the other aimed at hitting xmlrpc.php. Both of these seem very small, but can cause your CPU loads to rise, your websites to load slow, and in a worst case scenario, a hacked website.

Add the following rules to your mod_security ruleset and they will help block the two attacks

 

SecDataDir /tmp

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134

#SecAction phase:1,nolog,pass,initcol:ip=%{REQUEST_HEADERS.x-forwarded-for},id:5000134

<Locationmatch “/wp-login.php”>

SecRule ip:bf_block “@gt 0” “deny,status:401,log,id:5000135,msg:’ip address blocked for 5 minutes, more than 30 login attempts in 3 minutes.'”

SecRule RESPONSE_STATUS “^302” “phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136”

SecRule RESPONSE_STATUS “^200” “phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137”

SecRule ip:bf_counter “@gt 30” “t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0”

</locationmatch>

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000234

<Locationmatch “/xmlrpc.php”>

SecRule user:bf_block “@gt 0” “deny,status:401,log,id:5000235,msg:’ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'”

SecRule RESPONSE_STATUS “^200” “phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000237”

SecRule ip:bf_counter “@gt 5” “t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0”

</Locationmatch>