Help to protect Wordpress login from brute force attacks

I have a small cPanel server running some Wordpress sites, today I’ve noticed there is an IP attempting to log in. I’ve done a quick block for the IP in ConfigServer Firewall, but I can still see login attempts. If I try to ping the ip, it’s actually being blocked, not sure why is not working the other way.

image3006×1002 219 KB

With a provider I have, after 5 failed attempts to log in, the wp-admin side gets blocked. How to do it? Where (CSF or ModSecurity).

Any idea how to stop it? For every wordpress installation, so no WP plugins should be used.

Thank you!

EDIT _____________

1. Francisco has some in-house coded protection against this. Maybe ask him for help.
2. Litespeed has protection against wordpress bruteforce, not sure how effective.
3. Imunify360 has some ModSecurity rules that trigger a captcha if someone attemts to login many times. You can pay for Imunify360, or run their trial and then find the rule that they use, and adapt it to your own solution.

Plugin WordFence.

Free version is enough.

.htaccess password protect /wp-login.php

Just a simple login prompt over that file and your requests will stop. Much lighter weight than running a security plugin

Thank you. Options 1 and 2 look doable. Inmunify looks expensive but I’m going to test it.

@FHR @Harambe I prefer to not use more plugins or change something inside the single cPanel accounts.

I still don’t know why they are able to reach the server:

image2096×580 119 KB

EDIT: CSF only sees Cloufdlare IP

@Francisco I’ll appreciate if you can share some tips here

I have a global rule that catches for requests to those pages and then injects my click-thru page in between.

Nothing stops you from just adding a wordpress.conf file in /etc/apache2/conf.d/ that does some basic rewrites to catch the request and do whatever you want.

Francisco

that’s why CSF blocking is not working, configure your web server properly so real ip is passed from CF to your web server’s logs

• https://support.cloudflare.com/hc/en-us/articles/203656534-How-do-I-restore-original-visitor-IP-with-Apache-2-4-
• https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx-

For my Centmin Mod LEMP stack wordpress auto installer, wp-login.php and xmlrpc.php files are automatically setup with rate limiting at nginx level IIRC it’s like 1 request every 3 seconds it works out to be.

Then if you combine with either fail2ban (for Centmin Mod Nginx) or CSF like fail2ban (for Centmin Mod Nginx) banning you can inspect nginx logs for nginx rate limit entries and ban at CSF Firewall level.

Of course this all only works if you fix your Cloudflare real IP pass through to your web server first so that web server log files see visitor’s real IP.

There’s also WP plugin for limiting logins failures too.