Security-Protection blocks and stops brute-force attacks.
Want to read more how Security-Protection plugin works?
- no captcha, because brute-force attacks is not users’ problem
- no options, because it is great to forget about brute-force attacks completely
Plugin is easy to use: just install it and it just works.
Important: delete ‘admin’ username if you have it on your site. More than 90% of brute-force attacks try to crack the ‘admin’ username.
Few of the most commonly used and worst passwords. Do not use them or similar:
- install and activate the plugin on the Plugins page
- enjoy life without login, register and reset-password brute-force attacks
How does Security-Protection plugin work?
The blocking algorithm is based on 2 methods: ‘invisible js-captcha’ and ‘invisible input trap’.
The ‘invisible input trap’ method is based on fact that almost all the bots will fill inputs with name ‘email’ or ‘url’.
How does Security-Protection plugin work in details?
Two extra hidden fields are added to login, register and reset-password forms.
First field is the invisible captcha (copy and paste the code). Second field should be empty.
If the brute-forcer tries to submit the form, he will make a mistake with answer on first field or tries to submit an empty field and brute-force attack will be automatically rejected.
How does Security-Protection plugin stop brute-force attacks?
If Security-Protection check was not passed than it is brute-force request and the login attempt (or registration, or reset password) is blocked even if username and password are correct.
Plugin sends fake WordPress login cookies to the brute-force bot and redirects it to the admin section to emulate that the password is cracked and many brute-forcers stop their attacks after this.
It is really awesome 🙂
How to test what brute-force attacks are blocked?
You may enable sending info about blocked brute-force attacks to admin email.
Edit security-protection.php file and find “$secprot_send_brute_force_log_to_admin” and make it “true”.
How to stop brute-force attacks if plugins does not help?
If all plugins does not help you to stop brute-force attacks – you can simply rename wp-login.php file (for example ‘wp-login-new.php’) for now and maybe this can help you to reduce load on your site.
And also create empty wp-login.php file for not raising WordPress 404 error because it will start whole WordPress site again during each wp-login.php access.
While wp-login.php renamed – users cannot login, register and reset password.
If you want to have ability to login while you renamed wp-login.php file you should replace all ‘wp-login.php’ strings inside of the wp-login.php file to your new filename (for example ‘wp-login-new.php’).
- Minor updates
- added compatibility for WooCommerce
- code cleanup
- added SECURITY_PROTECTION_VERSION constant
- masking password in the email log for successful login
- cleanup code
- update FAQ
- completely rewrote all the code and reorganize the logic of the plugin (now plugin adds two hidden fields – aka ‘invisible js-captcha’)
- added ‘send_successful_login_log_to_admin’ feature
- added sending fake WordPress login cookies to fool the bot
- initial release – Protect from login, register and reset-password brute-force attacks using cookie check