Protection from login, register and reset-password brute-force attacks.
|Author:||webvitaly (profile at wordpress.org)|
|WordPress version required:||3.0|
|WordPress version tested:||5.0|
|Added to WordPress repository:||26-02-2014|
Warning! This plugin has not been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
|Total downloads:||13 083|
|Active installs:||1 000+|
Click to start download
How does Security-Protection plugin work?
The blocking algorithm is based on 2 methods: ‘invisible js-captcha’ and ‘invisible input trap’.
The ‘invisible input trap’ method is based on fact that almost all the bots will fill inputs with name ’email’ or ‘url’.
How does Security-Protection plugin work in details?
Two extra hidden fields are added to login, register and reset-password forms.
First field is the invisible captcha (copy and paste the code). Second field should be empty.
If the brute-forcer tries to submit the form, he will make a mistake with answer on first field or tries to submit an empty field and brute-force attack will be automatically rejected.
How does Security-Protection plugin stop brute-force attacks?
If Security-Protection check was not passed than it is brute-force request and the login attempt (or registration, or reset password) is blocked even if username and password are correct.
Plugin sends fake WordPress login cookies to the brute-force bot and redirects it to the admin section to emulate that the password is cracked and many brute-forcers stop their attacks after this.
It is really awesome 🙂
How to test what brute-force attacks are blocked?
You may enable sending info about blocked brute-force attacks to admin email.
Edit security-protection.php file and find “$secprot_send_brute_force_log_to_admin” and make it “true”.
How to stop brute-force attacks if plugins does not help?
If all plugins does not help you to stop brute-force attacks – you can simply rename wp-login.php file (for example ‘wp-login-new.php’) for now and maybe this can help you to reduce load on your site.
And also create empty wp-login.php file for not raising WordPress 404 error because it will start whole WordPress site again during each wp-login.php access.
While wp-login.php renamed – users cannot login, register and reset password.
If you want to have ability to login while you renamed wp-login.php file you should replace all ‘wp-login.php’ strings inside of the wp-login.php file to your new filename (for example ‘wp-login-new.php’).
2.3 – 2016-03-22
- Minor updates
2.2 – 2015-06-01
- added compatibility for WooCommerce
- code cleanup
- added SECURITY_PROTECTION_VERSION constant
2.1 – 2014-08-29
- masking password in the email log for successful login
- cleanup code
- update FAQ
2.0 – 2014-04-05
- completely rewrote all the code and reorganize the logic of the plugin (now plugin adds two hidden fields – aka ‘invisible js-captcha’)
- added ‘send_successful_login_log_to_admin’ feature
1.1 – 2014-03-01
- added sending fake WordPress login cookies to fool the bot
1.0 – 2014-02-25
- initial release – Protect from login, register and reset-password brute-force attacks using cookie check