cd /usr/local/directadmin/custombuild
./build update
./build set modsecurity yes
./build set modsecurity_ruleset comodo
./build modsecurity

vi /usr/local/cwaf/tmp/rules/workdir1/rules

SecAction phase:2,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134  
<Locationmatch “/wp-login.php”>  
    # Setup brute force detection.  
    # React if block flag has been set.  
    SecRule user:bf_block “@gt 0” “deny,status:401,log,id:5000135,msg:’ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'”  
    # Setup tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.  
    SecRule RESPONSE_STATUS “^302” “phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136”  
    SecRule RESPONSE_STATUS “^200” “phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137”  
    SecRule ip:bf_counter “@gt 10” “t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0”  
</locationmatch>  
  
SecAction phase:2,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000234  
<Locationmatch “/xmlrpc.php”>  
    # Rate limit requests to xml-rpc  
    SecRule user:bf_block “@gt 0” “deny,status:401,log,id:5000235,msg:’ip address blocked for 5 minutes, more than 10 attempts in 3 minutes.'”  
    # Setup tracking. Whenever it gets a 200 or 405 status code, increase our brute force counter.  
    SecRule RESPONSE_STATUS “^(200|405)” “phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000237”  
    SecRule ip:bf_counter “@gt 10” “t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0”  
</Locationmatch>