Stopping WordPress wp-login.php bot attacks with Varnish page throttling

Varnish is a performance tool. It’s the least likely layer to be doing application session tracking much less application rate-limiting. This is a design decision by the very wise Varnish architect because no one wants their performance layer to be burdened with doing work that blocks. But tough situations require tough measures. Even though we’ve introduced rate-limiting in the cPanel Varnish Plugin, it has all the goodness and smarts to avoid the nefarious blocking business.

We deploy the fastest WordPress server configuration available! We’ve taken the time (years of programming and production deployment) to cook up just the right VCL and server configuration recipe for the most delectable lean mean WordPress hosting machine! We’re able to do this on any dedicated server with 8GB memory or larger!

Most importantly, this new rate-limit feature has got WordPress’ wp-login.php attacking bots beat badly! Let’s go ahead and navigate to the Rate Limit feature in WHM on your Varnish server.


Varnish rate limit feature

Varnish rate limit feature


On the next page, the input form will show a default rate limiting set of values for wp-login.php (WordPress user entry point for authentication). You can hit save right there and then or you could adjust the rates to your liking.

Varnish wordpress wp-login.php rate limit


The KB has an entry that explains the rate-limit settings in detail. This feature is available in our Varnish plugin for cPanel starting from version 1.8.4. A special thanks to Nicolas Deschildre for this VMOD.

Enjoy the new feature!

Comments are closed for this entry.

Search The Blog