How to Stop WordPress wp-login.php Brute Force Attack on a cPanel Server


I am seeing a lot of WordPress wp-login.php brute force attack these days. In this tutorial I will explain how to stop wp-login.php attack on a cPanel server.

Server with few WordPress Websites

If you have few WordPress websites on the server, you can simply install any WordPress security plugin. Below I have listed few good WordPress plugin to stop brute force attack.

Server with many WordPress Websites

If your server hosts many wordpress websites or if you use your server to sell hosting, then its not possible to install a WordPress security plugin on every WordPress website. Here is how you can protect your server from wp-login.php brute force attack.


  1. Mod Security Apache Module: If you do not have mod_security Apache module installed on the server, run Easy Apache from WHM with mod_security selected.
  2. ConfigServer Firewall: If you do not have ConfigServer Firewall installed on the server, run below commands in SSH to install it.
rm -fv csf.tgz
tar -xzf csf.tgz
cd csf
perl /usr/local/csf/bin/

Step 1:

Login into WHM as root user. Server WHM login url is:


Replace SERVER-IP by your server’s actual IP.

Step 2:

Navigate to:

WHM Home >> Plugins >> Mod Security

Step 3:

Click Edit Config button located at top. This will open Mod_Security configuration page.

Step 4:

Add below code at the bottom of page and click Save Configuration button.

# Start wp-login.php brute attack
SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp
SecRequestBodyAccess On

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134

    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'IP address blocked for 20 minutes, more than 3 login attempts in 10 minutes.'"
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/600,id:5000137"
    SecRule ip:bf_counter "@gt 3" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=1200,setvar:ip.bf_counter=0"

ErrorDocument 401 default
# End wp-login.php brute attack

Step 5:

Now Navigate to:

WHM Home >> Plugins >> ConfigServer Security & Firewall

Step 6:

Click Firewall Configuration button. Now in configuration page set value of LF_MODSEC to 5

Step 7:

Restart CSF Firewall.


The above Mod Security code will block a IP for 20 minutes if it produces 3 fail login attempts to wp-login.php in 10 minutes. This rule will apply to all websites hosted on the server. You can change above Mod_Security code to change this restriction parameter.

Our Top Rated Host

Related Posts