Wordpress Bruteforce But Allow IP Rule


I got Comodo WAF rules for ModSecurity, and I love them.

Would you have a Rule that I can use to protect wp-login.php and only allow the whitelisted IP.

I have a VPS and the ONLY IP that is accessing is my IP.

I could block wp-login.php with .htaccess and allow my IP but its a pain changing it in over 20 websites.

I tried the following two rules but could not get them to work. I also have Varnish Cache in front of Apache if that changes anything.

#Rule #1
SecRule REQUEST_METHOD “@streq POST” “chain,id:‘1’,phase:2,t:none,block,log,msg:‘Warning: Direct Login Missing Referer.’”
SecRule REQUEST_FILENAME “@pm /wp-login.php /wp-admin/” “chain”
SecRule ARGS:log “@streq admin” “chain”
SecRule REMOTE_ADDR “!@ipMatch”
#Defending WordPress Logins from Brute Force Attacks | Trustwave | SpiderLabs | Trustwave

#Rule #2

block wordpress login attempts

SecRule REQUEST_URI “wp-login.php”
“id:‘9990227’,severity:‘3’,msg:‘Bad url - wp-login.php’”




Hi Rafael

I guess you can use second rule to block WP access from all IPs excluding one. Try to modify it in such way:

#Rule #2 
## block wordpress login attempts
SecRule REQUEST_URI "wp-login.php" "id:'100',chain,severity:'3',msg:'Bad url - wp-login.php'"

Replace [at] with “commercial at” sign.

Add this rule to Custom User Rules file, located at /var/cpanel/cwaf/etc/httpd/custom_user.conf (or “Userdata” - “Custom Rules” from CWAF plugin interface)
Try it on single host and if it work fine just copy this file over all your hosts.

By the way, here is good reference to mod_security rules :slight_smile:
Mod security - Atomicorp Wiki


The RULE you shared is blocking wp-login and working at blocking wp-login.php. Thanks for the code.

Now the only problem is the IP, I am using Google PageSpeed Service (CDN) and I have Varnish Cache.

So I think the IP or the X-Forwarded is not being set in the correct spot.

Where does ModSecurity grab or look at the IP? Is it some logs?

Hi Rafael

To get your IP (as it seen to mod_security) you can check Apache access logs.

If you are talking about bruteforce protection, then I can answer to you. Rules set have a special collection IP for these reasons. It is assigned in this rule:

SecRule &TX:REAL_IP "!@eq 0" \ "id:210080,\ phase:1,\ pass,\ initcol:global=global, initcol:ip=%{tx.real_ip}_%{tx.ua_hash},\ nolog,\ t:none"

You can find how tx.real_ip and tx.ua_hash is calculated if you’ll check rules just before this one.
So you can’t modify this collection now, but if you find something interesting how we can improve it to make your case work - just pm me.

@TDmitry & @Oleg,

In my case the access logs and not being written by httpd. I have Varnish Cache. They use their own varnish access logs.


Then since I have Google CDN, Varnish logs are displaying Google IP’s.

So I have to figure out how to everyone to play nice.

Will try the Varnish forum and Google PageSpeed forum and then ill reply if I can find a solution.

Might take a while.


I don’t think Im smart enough to find or code ModSec rules.

The Comodo WAF Real_IP rules are a little beyond my current knowledge. =)