# Using CSF to protect Wordpress?



## Belucci (Oct 1, 2014)

Is there an easy way to use it to protect against brute-force attacks of the wp-login page?

Or block them altogether for not whitelisted IPs?

I need a way that would work for like 20 WP sites at a single server without listing each particular URL.

I'm a CSF and server newbie.


----------



## Prestige (Oct 1, 2014)

I'm not sure about CSF. However, this mod_security rule might help. After multiple failed log ins in 3 minutes, they should receive a 401 Unauthorized error page.


```
# WordPress Bruteforce Protection
SecDataDir /tmp
SecAuditLogType Concurrent
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:500 0134
<LocationMatch "/wp-login.php">
    # Setup brute force detection.
 
    # React if block flag has been set.
    SecRule user:bf_block "@gt 0" "deny,status:401,log,auditlog,msg:'10 WordPress failed login attempts in 3 minutes.',severity:'2',id:5000135,tag:'WORDPRESS/BRUTEFORCE'"
 
    # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_cou nter=1/180,id:5000137"
    SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter =0"
</LocationMatch>
```


----------



## splitice (Oct 1, 2014)

CSF generally doesnt work at the application layer, you could probably make it work but there are other better solutions such as mod_security or probably wordpress plugins.


----------

