You might notice a decrease in server or website performance and see many requests to "wp-login.php" in domain access logs and potentially in your process list.
These are indicators that hackers are trying to "brute force" their way into a website or multiple websites.
There are quite a few options available to prevent this type of attack from affecting your server performance and site security.
The options available vary significantly in easiness to implement and effectiveness. It's important to note that neither Apache™ nor LiteSpeed™ is a firewall. If you're experiencing a large scale attack, your systems administrator or hosting provider should be able to use some other method to combat the attack.
Starting with version 5.2.3, LiteSpeed Enterprise has a built-in brute force attack protection system. Please review the documentation:
One recommendation with Apache is that you should go ahead and place the following code in the website .htaccess file that doesn't point the error page to WordPress (this can be either 401 or 403 depending on whether you use password or IP based blocking or other). This prevents the overload caused by the entire WordPress code being run each time a failed request is made.
ErrorDocument 401 Access Denied
ErrorDocument 403 Permission Denied
You can then only allow specific IP addresses to access the file by adding these lines and replacing the IPs with the user IP addresses:
# Only allow these IPs to wp-login.php.
Require ip 10.0.0.1 10.0.0.2
This isn't a long-term solution, especially for sites with many users that log in. You may consider implementing a ModSecurity rule to help with the entire server, or password protect wp-login.php via .htaccess rules. Please review this documentation for Apache Authentication.
WordPress.org has a complete article that covers multiple methods for handling these types of attacks:
Please note, cPanel does not endorse, support, or sponsor any third-party website provided in this article.