This is an old revision of the document!
WordPress 'brute force attack protection built in to LSWS
A ‘brute force’ login attack is a type of attack against a website to gain access to the site by guessing the username and password, over and over again. WordPress is the most popular CMS and therefore it’s a frequent target of these type of attacks. wp-login.php and xmlrpc.php pages are the most common target from brute force attack by POST method. WordPress doesn’t have any built in feature to prevent these types of attacks, hence you may need to find some third-party solutions.
Since 5.2.3, LSWS build-in wordpress brute force attack protection is introduced and it will well protect your shared hosting WordPress environment from large-scale DDoS attack, which may even bring down your server.
Requirement
LiteSpeed Web Server version 5.2.3+
How Brute Force Protection works
Specifies the maximum number, when wp-login.php and xmlrpc.php pages attempts allowed within 5 minutes before the IP is blocked.
This limit is handled using a quota system where limit = quota. Each POST attempt will decrease the quota by 1 with the quota increasing back to the set limit over time. The IP will be throttled starting at half of the limit, slowing more as the quota drops further. When the quota reached 0, the IP is blocked.
- For Example: If the limit is 10, it start to throttle when there are more than 5 attempts within the short period of time. It is a quota system, that each IP get quota of 10, each attempt will reduce it. and after 30 second, quota will increase 1. Once quota reach 0, the client will be blocked. So, it is not reset all at once, but gradually increase to the maximum if not keep hit the URL.
For cPanel Setup
The Syntax of Apache configuration directive: WordPressProtect (0|1|5-1000)
- 0 will disable it.
- 1 will enabled it. Use the server level config as default, if not set it is 10.
- Within 5-1000 will adjust the limit
Depends on which level you need to add the following lines to Server Level / Virtual Host Level / .htaccess
<IfModule Litespeed> WordPressProtect 10 </IfModule>
On Server level
- For EA3
/usr/local/apache/conf/includes/pre_main_global.conf - For EA4
/etc/apache2/conf.d/includes/pre_main_global.conf
On Virtual Host level
- For EA3
/usr/local/apache/conf/userdata/lscache_vhosts.conf - For EA4
/etc/apache2/conf.d/userdata/lscache_vhosts.conf
Design logic
- Virtual Host protect settings can rewrite both Server Level and .htaccess file
- .htaccess file can rewrite Server Level only
| Server Level | VHost Level | .htaccess | Result |
|---|---|---|---|
| 5 | x | x | 5 |
| 5 | x | 20 | 20 |
| 5 | 10 | x | 10 |
| 5 | 10 | 20 | 10 |
Real Testing
Test 10 limit with brute access script. We can see time increasing from Round 6 and finally got connection error on Round 11.
Round: 1 Fail 0.626
Round: 2 Fail 0.615
Round: 3 Fail 0.605
Round: 4 Fail 0.581
Round: 5 Fail 0.595
Round: 6 Fail 1.619
Round: 7 Fail 2.615
Round: 8 Fail 3.611
Round: 9 Fail 4.602
Round: 10 Fail 5.604
Round: 11 Erro MSG: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response',))