How to Stop WordPress wp-login.php Brute Force Attack on a cPanel Server

I am seeing a lot of WordPress wp-login.php brute force attack these days. In this tutorial I will explain how to stop wp-login.php attack on a cPanel server.

Server with few WordPress Websites

If you have few WordPress websites on the server, you can simply install any WordPress security plugin. Below I have listed few good WordPress plugin to stop brute force attack.

• Limit Login Attempts
• Block brute-force attacks
• BruteProtect
• Lockdown WP Admin
• WP Fail2Ban
• Admin Renamed Extended
• Enforce Strong Password
• Wordfence Security
• 3WP Activity Monitor
• All in one WP Security
• Rename wp-login.php
• Brute Force Login Protection

Server with many WordPress Websites

If your server hosts many wordpress websites or if you use your server to sell hosting, then its not possible to install a WordPress security plugin on every WordPress website. Here is how you can protect your server from wp-login.php brute force attack.

Requirements

1. Mod Security Apache Module: If you do not have mod_security Apache module installed on the server, run Easy Apache from WHM with mod_security selected.
2. ConfigServer Firewall: If you do not have ConfigServer Firewall installed on the server, run below commands in SSH to install it.

rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
perl /usr/local/csf/bin/csftest.pl

Step 1:

Login into WHM as root user. Server WHM login url is:

SERVER-IP:2086

Replace SERVER-IP by your server’s actual IP.

Step 2:

Navigate to:

WHM Home >> Plugins >> Mod Security

Step 3:

Click Edit Config button located at top. This will open Mod_Security configuration page.

Step 4:

Add below code at the bottom of page and click Save Configuration button.

# Start wp-login.php brute attack
SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp
 
SecRequestBodyAccess On

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134

    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'IP address blocked for 20 minutes, more than 3 login attempts in 10 minutes.'"
	
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
	
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/600,id:5000137"
	
    SecRule ip:bf_counter "@gt 3" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=1200,setvar:ip.bf_counter=0"

ErrorDocument 401 default
# End wp-login.php brute attack

Step 5:

Now Navigate to:

WHM Home >> Plugins >> ConfigServer Security & Firewall

Step 6:

Click Firewall Configuration button. Now in configuration page set value of LF_MODSEC to 5

Step 7:

Restart CSF Firewall.

Done!!!