Wordpress and Mod_Security

intro:
Iweb security

WordPress is a famous platform to publishing Aritcle and informations. Unfortunately it is missing to security functions that protect
your application from malicious attacks. A default Wordpress installation is not secure as web application security .It need for additional layers of protection to ensure that your application remains secure at all times.

What is ModSecurity:

ModSecurity operates as a layer of protection between the Web server and the application and runs on
a set of rules that determine how it should react to certain behaviors and demand. Web applications using ModSecurity add external security layer that increases security, detects and prevents attacks before they reach web applications.
Using this mod_security rules you will protect your website from "Brute Force" and "Denial of Service" attack

<IfModule mod_security2.c>
# This has to be global, cannot exist within a directory or location clause . . .
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR}
<Location /wp-login.php>
# Setup brute force detection.

# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"

# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</location>
</IfModule>

These rules will block access for the offending IP address for 5 minutes upon 10 failed login attempts over a 3 minute duration

------------------

Protect your wp-login. page :

You can protect your login page via htaccess. To do this, you will need to create a .htpasswd file
if you want to do it manually use this website

htaccesstools. com/htpasswd-generator/

ones your .htpasswd file will create u need to put on your public folder ex.(/home/user/public_html/.htpassword)
and need to add this rules to your .htaccess file

code:

<Files ~ "^\.ht"> Order allow,deny Deny from all </Files>

<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName “Private access”
AuthType Basic
require user mysecretuser
</Files>

-----------------------------

protect your wp-login.php with IP

If you using static ip than its very good for protect your login page. Just add this code in your .htaccess file

order deny,allow
allow from x.x.x.x
deny from all

Your ISP can help you to provid static IP address