As brute force attacks on WordPress become more frequent we have decided to deploy another layer of security into the firewalls of our servers.
As our standard hosting customers are aware this was implemented some time ago with the divert to a are you human captcha page, however with cPanel this approach was not implemented.
So with all cPanel accounts the following has been implemented
This has not changed anything for the user of the website, you still login the same was as you have before however if you have 10 failed attempts then you will receive a 401 error for 20 minutes.
The response from the server will read as follows.
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn’t understand how to supply the credentials required.
You can still access the site if you need to by going to cPanel and going to the security section and clicking on ModSecurity. Here you are able to switch on/off security for the domain.
Once switched off the wp-login screen will re-appear, but its highly recommended that you re-enable this security once finished.
Leaving this off, leaves your site open to any known vulnerability that our firewall protects you against.
By implementing this it will reduce the volume of sites compromised by brute force attacks and reduce loads on your hosting package.
We are looking at other similar rules for other popular CMS platforms.