Block wp-login.php based on country through mod_security

Date Posted: 17-02-2018

WordPress is popular CMS which receives large number of DDOS login attempts generally. As a system administrator or site owner, if we dont feel that the traffic is not genuine from some other country, we can restrict wp-login.php   only from certain countries.

In this post we will explain on how to block wp-login.php access from other country except India.


  1. Mod Security already installed. If you have cPanel then in WHM itself, you will have an option to add Mod_security rule.
  2. Server SSH details.


1. Open the domain configuration file. By default, the location will be /etc/apache2/sites-enabled/default

vi /etc/apache2/sites-enabled/default

2. Append the below mentioned code

<IfModule mod_security2.c>
SecRule REQUEST_URI "wp-login.php" "chain,id:2018,log,msg:'Blocking %{geo.country_code}' - Suggested by"
SecRule REMOTE_ADDR "@geoLookup" "chain"
SecRule GEO:COUNTRY_CODE "@streq IN"


Secrule – Mod security rule

Request_URI – URL which the rules applies to

chain – It indicates that there will be continuation of rule to the next line.

id – Unique Mod_security reference ID

log- It tells apache to log the message

msg – Message should be logged on the log

GEO:COUNTRY_CODE – Country code

streq – String Equal to

IN – India. If we want to allow from other country then mention TWO digit code of the respective country

3. Check the syntax error

apachectl -t

4. Restart the apache server.

service apache2 restart

Now, if any user access wp-login.php from India, they will see the login page. If the user access wp-login.php  then they will get “406 : Not acceptable “ page.

Leave a Reply