How to Stop WordPress wp-login.php Brute Force Attack on a cPanel Server

Wordpress security
I am seeing a lot of WordPress wp-login.php brute force attack these days. In this tutorial I will explain how to stop wp-login.php attack on a cPanel server.

Server with few WordPress Websites

If you have few WordPress websites on the server, you can simply install any WordPress security plugin. Below I have listed few good WordPress plugin to stop brute force attack.

Server with many WordPress Websites

If your server hosts many wordpress websites or if you use your server to sell hosting, then its not possible to install a WordPress security plugin on every WordPress website. Here is how you can protect your server from wp-login.php brute force attack.

Requirements

  1. Mod Security Apache Module: If you do not have mod_security Apache module installed on the server, run Easy Apache from WHM with mod_security selected.
  2. ConfigServer Firewall: If you do not have ConfigServer Firewall installed on the server, run below commands in SSH to install it.
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
perl /usr/local/csf/bin/csftest.pl

Step 1:

Login into WHM as root user. Server WHM login url is:

SERVER-IP:2086

Replace SERVER-IP by your server’s actual IP.

Step 2:

Navigate to:

WHM Home >> Plugins >> Mod Security

Step 3:

Click Edit Config button located at top. This will open Mod_Security configuration page.

Step 4:

Add below code at the bottom of page and click Save Configuration button.

# Start wp-login.php brute attack
SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp
 
SecRequestBodyAccess On

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'IP address blocked for 20 minutes, more than 3 login attempts in 10 minutes.'"
	
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
	
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/600,id:5000137"
	
    SecRule ip:bf_counter "@gt 3" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=1200,setvar:ip.bf_counter=0"
</locationmatch>
ErrorDocument 401 default
# End wp-login.php brute attack

Step 5:

Now Navigate to:

WHM Home >> Plugins >> ConfigServer Security & Firewall

Step 6:

Click Firewall Configuration button. Now in configuration page set value of LF_MODSEC to 5

Step 7:

Restart CSF Firewall.

Done!!!

The above Mod Security code will block a IP for 20 minutes if it produces 3 fail login attempts to wp-login.php in 10 minutes. This rule will apply to all websites hosted on the server. You can change above Mod_Security code to change this restriction parameter.

Our Recommended VPS Hosting

2 Comments

  • what if client says it was him who was trying to login but had forgot the password and want us to enable login immediately?

    • The client should contact hosting provider to remove his IP from blocked list of CSF firewall.

      If the client is on dynamic IP, he can change his IP by restarting internet modem.
      If the client is using static IP, he should give his IP to hosting provider to add the IP in ignore list of CSF firewall.

Leave us a Reply

Your email address will not be published. Required fields are marked *

* *