Caddy equivalent code for specific sections of the WordPress support article Brute Force Attacks.
Protect Your Server #
For Caddy, you can use the error
directive to protect your site. In the example below, wp_admin
has been locked down.
# Trigger a 401 error for wp_admin
error /wp-admin* "Unauthorized" 401
# Handle the error by serving an HTML page
handle_errors {
rewrite * /401.html
file_server
}
Password Protect wp-login.php #
For Caddy, you can password protect your wp-login.php
file using the basicauth
directive.
basicauth /wp-login.php {
# Add separate lines for each additional user
user1 password-hash1
}
Caddy configuration does not accept plaintext passwords; you MUST hash them before putting them into the configuration. The caddy hash-password
command can help with this.
Limit Access to wp-login.php by IP #
For Caddy, use the remote_ip
request matcher to limit access to wp-login.php
by IP address.
@blacklist {
# All except the specifed addresses
not remote_ip forwarded 203.0.113.15 203.0.113.16 203.0.113.17
# or for the entire network
# not remote_ip forwarded 203.0.113.0/24
path /wp-login.php
}
# Block access to wp-login.php for blacklisted addresses
respond @blacklist "Forbidden" 403 {
close
}
Deny Access to No Referrer Requests #
For Caddy, mitigate brute force login and spam comment attempts from bots.
# Mitigate spam attack logins and comments
@protected path_regexp (wp-comments-posts|wp-login)\.php$
handle @protected {
@no-referer {
not header Referer https://{host}*
method POST
}
abort @no-referer
}
Using abort
for blocking bots is more efficient because Caddy will just drop the connection immediately instead of sending back a response.
Credits and References
Credits
@francislavoie for his contributions within the development reference.