Wordpress Bruteforce Protection not Working

Please provide updated rules for wordpress login bruteforce protection

We are working on it. Check for updates.

still its not working?

Still Waiting :stuck_out_tongue:

Will be in next update. Sorry for delay.

Bruteforce protection released in v1.13 but this category is disabled now by default. Please, enable it manually. If you please, leave feedback after try.


I have enabled it will update you with the results.

Working very good for wordpress site. is this protection only works for wordpress or other softwares too?

One more thing I dont want to block ip address, can we show custom human verification page after n number of failed login, so that they verify them as human and can go back to the site again. I just tried to bruteforce one of the site on my server and got ban so this thought came into my mind.

It should work fine for applications where following login pages are used:

wp-login.php login.php admin.php

Now you can’t modify this list (actually you can, but your changes will be lost after update). In the next release we will move this list to “userdata” section, so you’ll be able to insert your custom login pages.

Your ban will be cleared in few minutes. Generally it is a possible to make human verification, but this requires of interaction with web application so we are not plan to do it in nearest future.

I think adding index.php in this list will protect joomla bruteforce also? But is it safe to just include “index.php” or whole “/administrator/index.php” must be included into it?

You can put there relative URL without the query string part, example:


Your “/administrator/index.php” should protect Joomla, but only if admin panel was not moved to another location.
If you put simple “index.php” this can cause False Positives, so it is better to include as mentioned above.

Not working, please verify at your end and update me

Prompt how to enabled?
In what file?

If you r using cpanel, login to “WHM”

Now goto “comodowaf” → “catalog”

Under “Item ID” click “Global”

Now you will be shown “Bruteforce ‘Bruteforce protection’” Off

Click at “off” to enable it and down below you will find “implement”. Implement it and its done

We use DirectAdmin
Therefore, through this panel can not be changed.
Tell me how to manually turn on?

Please, edit the next file: <CWAF_INSTALL_PATH>/etc/httpd/global/zzz_exclude_global.conf

In Block (SecRuleRemoveById) Remove IDs: 220790, 220791, 220792, 220793, 220794, 220796, 220797, 220800, 220801

Restart Apache/Litespeed

You have to re-do these steps after rules update

I still dont see rules for joomla bruteforce protection?

Try to put your login path into “login_pages”, so the system would be able to protect this path from bruteforce.
This file will be renamed to “userdata_login_pages” to prevent wiping after update.

Also make sure that bruteforce protection turned on.

In previous version 1.13 adding path was not protecting joomla. Did you updated rules for it?

Yes, it is updated, but needs further testing. Bruteforce protection still disabled by default.