PLEASE NOTE: This tutorial is for VPS or Dedicated Servers. If you have any other plan with us, this has already been done on the server
There are many plugins out there that protect a WordPress website from Brute Force attacks. The problem is, they are very resource intensive since they run through PHP. Not to mention, having to load a plugin for every single WordPress site on a server causes even more strain on the server and is not an efficient way to protect you and your clients from Brute Force attacks
There are two popular WordPress brute force attacks. One aimed at hitting the wp-admin and the other aimed at hitting xmlrpc.php. Both of these seem very small, but can cause your CPU loads to rise, your websites to load slow, and in a worst case scenario, a hacked website.
Add the following rules to your mod_security ruleset and they will help block the two attacks
SecDataDir /tmp
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
#SecAction phase:1,nolog,pass,initcol:ip=%{REQUEST_HEADERS.x-forwarded-for},id:5000134
<Locationmatch “/wp-login.php”>
SecRule ip:bf_block “@gt 0” “deny,status:401,log,id:5000135,msg:’ip address blocked for 5 minutes, more than 30 login attempts in 3 minutes.'”
SecRule RESPONSE_STATUS “^302” “phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136”
SecRule RESPONSE_STATUS “^200” “phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137”
SecRule ip:bf_counter “@gt 30” “t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0”
</locationmatch>
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000234
<Locationmatch “/xmlrpc.php”>
SecRule user:bf_block “@gt 0” “deny,status:401,log,id:5000235,msg:’ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'”
SecRule RESPONSE_STATUS “^200” “phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000237”
SecRule ip:bf_counter “@gt 5” “t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0”
</Locationmatch>