Just had an email from my web hosting provider telling me that my server had been shut down due to very high resource usage. It turns out that my VPS had been utilizing about 8 cores of cpu and I only pay for a hosting plan that allows me to use 2 cores. My server had been down for 8 hours since I was asleep when the issue arose. This was a very concerning piece of news to wake up to, especially if one uses their servers to make a living.
My hosting provider said I could boot up my VPS again so long as I could fix the issue. What could it be? My first guesses were that my domains were hit with a ddos attack or that something went wrong with either my WordPress or Virtualmin installations.
Bots love checking out my wp-login.php
Once my server was up again I saw that the cpu usage was still around 8 cores. I immediately viewed my Apache access log files. I saw 2 to 4 different IPs accessing wp-login.php at a rate of about 3 to 4 times per second. This caused the massive spike since I had 10 websites on my server, all of them using WordPress. Sure, the bots aren’t able to get through my sites as I use a strong password but something had to be done about the very high resource usage that can shut down my server at any time.
I took note of the attackers’ IP addresses. I logged on to my CloudFlare account then I added the IPs to my Blocked List under the Threat Control tab. That brought the attack to a complete stop. A few hours later my resource usage was steadily rising again. I forgot that one of my domain was not under CloudFlare and there was a new set of IP addresses accessing wp-login.php. I added the domain under CloudFlare but I can’t keep on manually blocking IPs whenever there was an attack.
As you can see from the image below, my server was steadily using less that 2 cores then there was the sudden spike followed by the server shutdown.
Using CloudFlare Page Rules to Block Brute Force Attacks
Since Brute Force Attacks on WordPress mainly target the wp-login.php, with Page Rules you can strengthen the security for accessing that page without affecting real visitors that access other parts of your site. I only use the free plan offered by CloudFlare so I am restricted to use only up to 3 page rules which is enough for my needs.
You could use this 2 url patterns to cover your login page:
The asterisks are wildcards used to take account for login urls that uses a sub-domain like
blog or urls that end like
Login to your CloudFlare account. On the Websites page look for your target domain then click on the gear icon on the right side. Select Page Rules. Add the URL pattern described above. The most important thing is to set the Security and Browser Integrity Check to ON and the Security Level to I’m Under Attack. Then click Add Rule.
This will strengthen the security for the login page and prevent those bad bots from accessing it. A side-effect of this is that every time your browser cache is cleared or when your cookies for your particular site expires, you may have to wait 5 seconds when you log in to allow for the Browser Integrity Check. Not bad at all.
This is quite effective and my resource usage hasn’t spiked since then. This is also easier to understand and implement than trying to tinker with your .htaccess or using WordPress Plugins that limit login attempts but do not prevent wp-login.php from getting hit.