Nowdays, a lot of websites are built on the  popular blogging platform WordPress. It’s fast, highly customizable and pretty easy to use. You can use it for your personal blog, you can build a personal or business website, an online store and basically, it can be used to build any type of website.

The most common problem are the wordpress bruteforce attacks. Scripts or bots that are trying to guess your admin password or try to inject malitious php codes into your scripts in order to send spam or upload scam or phishing websites into your hosting account.

Fortunately, there is mod_security (a security module for the apache webserver) and CSF Firewall (a highly customizable firewall, writtern in perl and based on iptables rules).

In order to prevent and automatically block wordpress bruteforce attacks you have to do some customizations to your mod_security rules.

Assuming you already have a running apache webserver and some sites built on wordpress, and also you have installed both mod_security (standard package on cPanel servers) and CSF Firewall, here it is what you should do:

WordPress bruteforce mod_security protection

Open your modsec.conf file and add the following:

Save the file and restart your webserver (/etc/init.d/httpd restart).

WordPress bruteforce protection with CSF firewall

Open csf.configuration file /etc/csf/csf.conf and set the following values:

Save the file and restart csf:

Now when any of the rules above are trigged for more than 25 times, the CSF Firewall will permanetly block the ip address (the source of the attack).

I will not explain in this article what every rule does and so on. It’s just a basic example which offers and extra layer of protection for your wordpress website.


About Author

I am a linux passionate and currently working as a Linux Senior System Administrator. I also am a freelancer and help people to complete different jobs. You can hire me on