One annoyance of running a publically-accessible WordPress site is the bots that attempt to rapidly try thousands of login attempts via /wp-login.php
.
Even if none of the guesses are ever likely to work, the site will waste resources running PHP and SQL to confirm that to be the case.
A barrier to these drive-by hack attempts can be added using nginx's http_limit_req, where rate limiting is applied only to POST requests for the login page, not affecting the rest of the site.
-
In
/etc/nginx/conf.d/login-limit.conf
we create the zoneLOGINLIMIT
.1m
is the size of the shared memory zone for tracking requests, and15r/m
limits to 15 requests per minute (ie 1 every 4 seconds).