Rate limiting WordPress Logins with Traefik
I'm hosting a few Wordpress websites on my server for various people. Recently after setting up my Log monitoring with loki (https://blog.marcel-aust.de/monitoring-with-prometheus-loki-alloy-grafana-2/) I noticed a lot of login attempts by various bots there to the wp-login.php endpoint.
I'm running the Wordpress instances each in its own docker-compose stack. As already previously mentioned I'm using traefik as ingress proxy to proxy the requests and do the tls termination.
To fix the issue with the login attempts I employed a Traefik ratelimit (https://doc.traefik.io/traefik/middlewares/http/ratelimit/). This is what my new wordpress config inside the docker-compose stack looks like now:
wordpress:
image: wordpress:latest
restart: unless-stopped
depends_on:
- db
environment:
# ...
labels:
- "traefik.enable=true"
- "traefik.http.routers.wordpress1.rule=Host(`www.example.com`)"
- "traefik.http.routers.wordpress1.entrypoints=websecure"
- "traefik.http.routers.wordpress1.tls.certresolver=le"
- "traefik.http.routers.wordpress1.service=wordpress1"
- "traefik.http.services.wordpress1.loadbalancer.server.port=80"
# Login Ratelimit
- "traefik.http.routers.wordpress1-rl.rule=(Host(`www.example.com`)) && PathPrefix(`/wp-login.php`)"
- "traefik.http.routers.wordpress1-rl.entrypoints=websecure"
- "traefik.http.routers.wordpress1-rl.tls.certresolver=le"
- "traefik.http.routers.wordpress1-rl.middlewares=wp-login-rl@file"
- "traefik.http.routers.wordpress1-rl.service=wordpress1"
- "traefik.docker.network=traefik-net"
volumes:
- wordpress1:/var/www/html
networks:
- traefik-net
- defaultThe corresponding wp-login-rl config looks like this:
http:
middlewares:
wp-login-rl:
rateLimit:
average: 10
period: 60mThis will limit all request to the wordpress login page which reduced the login attempts drastically.
