I finally have a ruleset which traps wp-login attacks but have a URI that does not get trapped
SecRule REQUEST_URI "wp-login.php" "t:none,nolog,phase:1,pass,msg:'Track WP login',setvar:ip.auth_attempt=+1"
SecRule IP:AUTH_ATTEMPT "@gt 10" "phase:1,t:none,log,deny,status:405,expirevar:ip.auth_attempt=86400,msg:'Possible WP login attack'"
Does NOT catch:
I've tried a bunch of regex's but none have caught my test connections similar to the URL above - any suggestions?
One other oddity is that the second line (the count) seems to count 2, not one for each connection. Not sure what that is about... again, any suggestions appreciated.