Title: Not blocking POST /wp-login.php
Last modified: August 31, 2016

---

# Not blocking POST /wp-login.php

 *  Resolved [DrNeptune](https://wordpress.org/support/users/drneptune/)
 * (@drneptune)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/not-blocking-post-wp-loginphp/)
 * I am confused about something. I just got about 200 requests or failed login 
   attempts in 1 second and wordfence didn’t block them. I have it set to block 
   after 3.
    Request: POST /wp-login.php Action Description: Access denied with 
   code 406 (phase 1). Justification: Operator EQ matched 0 at REQUEST_HEADERS. 
   Request: POST /wp-login.php Action Description: Access denied with code 406 (
   phase 1). Justification: Operator EQ matched 0 at REQUEST_HEADERS. Request: POST/
   wp-login.php Action Description: Access denied with code 406 (phase 1). Justification:
   Operator EQ matched 0 at REQUEST_HEADERS.
 * Over and over and over
    Does this not protect from this?
 * [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/)

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Thread Starter [DrNeptune](https://wordpress.org/support/users/drneptune/)
 * (@drneptune)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/not-blocking-post-wp-loginphp/#post-7151375)
 * oh before you ask ModSecurity is the one blocking them. but I figured wordfence
   would block after the first one so they couldn’t even try after that
 *  Plugin Author [WFMattR](https://wordpress.org/support/users/wfmattr/)
 * (@wfmattr)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/not-blocking-post-wp-loginphp/#post-7151559)
 * Hi,
 * Visits are processed by some of ModSecurity’s rules (phases 1 and 2) before before
   WordPress and Wordfence start running, so if ModSecurity sends a 406 response
   based on the request headers/body, then Wordfence won’t see that visit.
 * Apache and ModSecurity respond very quickly this way, much faster than WordPress(
   even without any plugins), keeping that type of blocking enabled is good for 
   performance.
 * -Matt R

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Not blocking POST /wp-login.php’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

 * 2 replies
 * 2 participants
 * Last reply from: [WFMattR](https://wordpress.org/support/users/wfmattr/)
 * Last activity: [10 years, 2 months ago](https://wordpress.org/support/topic/not-blocking-post-wp-loginphp/#post-7151559)
 * Status: resolved