[Request] add wordpress limit loggin

hi.
can you add rule to limit failed logins?
i’m using DA.
or how can i add it manually ?


SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
	SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
	SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
	SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
	SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

thanks

Have you tried to enable bruteforce protection rules?

yes.
but this rule make it 10 failed login limit.

BF protection should do the same.

yea. but it’s not blocking…

Hello. Please verify existence of strings “09_Bruteforce_Bruteforce.conf” and “userdata_login_pages” in your CWAF debug.log to make sure that bruteforce protection rules are loaded in ModSecurity.