ModSecurity Brute Force Protection for wp-login.php

I'm trying to prevent brute force login attempts on wp-login.php on a server running Litespeed 5.0.19, and I've got the following rule set up for ModSecurity in ModSecurity -> Rules List -> Edit Rules:
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:6
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:7,msg:'ip address blocked for 5 minutes, more than 10 WordPress login attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:8"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:9"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
Unfortunately, it doesn't seem to be working even after a restart of Litespeed, because on a site that's running the Login Security Solutions plugin, I got 122 failed logins over the course of 59 minutes. Other sites are undergoing similar attacks. The other custom rules I have are working. I'm also running the Comodo WAF rules for Litespeed as a vendor in ModSecurity.

Is there some other ModSecurity rule I should be using with Litespeed to block brute force attacks on wp-login.php, or do I have an error in mine that's preventing it from working?


LiteSpeed Staff
We have tested this rule before, it is working fine.
You may need to turn on modsec debug logging with
SecRuleDebugLevel 9

to check what is going on. Maybe the rule was bypassed for some reason.
Thanks for the reply. Do you mean SecDebugLogLevel?

It looks like I didn't need my custom rule because there is a similar one in the Comodo WAF vendor rules for Litespeed. It's possible the two were interfering with each other. I removed my custom rule and will see if this takes care of the brute force attacks I'm having get through.