Stop worpress wp-login.php brute force attacks with Varnish throttling (Rate Limit)

Version 1.8.4 of the cPanel Varnish Plugin has seen a new feature being introduced: the ability to rate-limit page accesses - code-named Rate Limit. One application of this feature is the wp-login.php attack that Wordpress suffers from. These attacks lead to service disruption. They can also be used to gain unauthorized access to your blog or website. The goal of the attacker is to brute force your users' login name and password in order to guess the passwords. The side effect of this resource intensive process is that it chokes your server and brings it down.

Rate Limit was designed to defend against such attacks among other numerous applications. Before we continue, go ahead and enabled Rate Limit from WHM -> Varnish -> Rate Limit). Once enable it, you can then begin setting rules to rate limit URL accesses. Let's walk through the wp-login.php example. By default your Rate Limit page will have this:

wp-login.php 3req/s 10req/30s 30req/5m


The first bit of information is the page or URI (/wp-login.php is a URI). The next three bits of information represents the three rate of accesses which if exceeded will lead to a block from Varnish with HTTP code 429 (not firewall block). So this will effectively prevent further brute force attempts. So if you were to reach wp-login.php more than 3 times per second OR 10 times over 30 seconds OR 30 times over 5 minutes, you get blocked. When either of the three limits is reached, the attacker is blocked by Varnish.

whoever (or whatever) attempts to attack wp-login.php will receive this message on their browser:

Error 429 "Slow down!"
  • 7 Users Found This Useful
Was this answer helpful?

Related Articles

Modsecurity rules integration in Varnish (feature)

We've integrated hundreds of modsecurity rules into the VCL (security.vcl) that ships out with...

Why does the plugin change the server header?

Normally, if you download and install Varnish (the source not the plugin) yourself, the headers...

Correct IP reporting in legacy software / scripts

The plugin follows reverse proxy software proper handling of X-Forwarded-For headers and in this...

vBulletin correct reporting of IP address

It's recommended to make the following changes to includes/config.php so vB doesn't report...

Fix REMOTE_ADDR so it reports correct IP instead of server IP in PHP

Here are the exact steps we follow: 1) Login in to destination server 2) wget...