Using Caddy to deter brute force attacks in WordPress

Caddy equivalent code for specific sections of the WordPress support article Brute Force Attacks.

Protect Your Server #

For Caddy, you can use the error directive to protect your site. In the example below, wp_admin has been locked down.

    # Trigger a 401 error for wp_admin
    error /wp-admin* "Unauthorized" 401

    # Handle the error by serving an HTML page
    handle_errors {
        rewrite * /401.html

Password Protect wp-login.php #

For Caddy, you can password protect your wp-login.php file using the basicauth directive.

    basicauth /wp-login.php {
        # Add separate lines for each additional user
        user1 password-hash1

Caddy configuration does not accept plaintext passwords; you MUST hash them before putting them into the configuration. The caddy hash-password command can help with this.

Limit Access to wp-login.php by IP #

For Caddy, use the remote_ip request matcher to limit access to wp-login.php by IP address.

    @blacklist {
        # All except the specifed addresses
        not remote_ip forwarded
        # or for the entire network
        # not remote_ip forwarded
        path /wp-login.php

    # Block access to wp-login.php for blacklisted addresses
    respond @blacklist "Forbidden" 403 {

Deny Access to No Referrer Requests #

For Caddy, mitigate brute force login and spam comment attempts from bots.

    # Mitigate spam attack logins and comments
    @protected path_regexp (wp-comments-posts|wp-login)\.php$
    handle @protected {
        @no-referer {
            not header Referer https://{host}*
            method POST
        abort @no-referer

Using abort for blocking bots is more efficient because Caddy will just drop the connection immediately instead of sending back a response.

Credits and References


@francislavoie for his contributions within the development reference.


  1. Brute Force Attacks
  2. Development: Using Caddy to deter brute force attacks in WordPress