As has been reported by many news outlets, WordPress login pages have been under a heavy brute force attack campaign as another method of web server botnet recruitment. There are are number of methods which can be used to help mitigate these attacks including:
- Changing the default "admin" user account name - which can be done by either editing the wp_users table or by adding a new user with admin privledges and then deleting the "admin" account.
- Implementing two-factor authentication
- Implementing a Plugin such as Limit Login Attempts
While all of these defenses are good, and I encourage WP users to implement them, I also wanted to show how ModSecurity WAF can be used to protect WP logins as many hosting providers already run it as part of their infrastructure. With ModSecurity v2.7.3, users can add in these example rules to Apache htaccess files to implement custom rules.