WordPress Brute Force Protection – Stop Brute Force Attacks

Najczęściej zadawane pytania

What level of expertise do I need to configure this plugin?

This plugin is exceptionally easy to use no matter what your level of technical experience. The default settings are highly optimized to limit login attempts and prevent brute force attacks, whilst not disturbing genuine users from logging on.

For advanced users, you can fully customize the behavior of the plugin to ensure it works best for your application.

Is this plugin compatible with Cloudflare or other CDNs?

Yes.

Load balancers and CDNs are known as reverse proxies. Due to the nature of these services, all visits to your website are logged with the IP address of the proxy rather than the visitor’s actual IP address. To remedy this, the visitor’s IP address is provided in a 'header field’ which GuardGiant will pick up and use.

Why am I getting attacked?

Hackers want to gain access to your website for various reasons:

• Place backlinks from your site to improve their site’s Pagerank.
• Redirect your visitors to malicious sites or use your website to distribute spam and viruses.
• Use your server as part of a botnet to launch DDOS attacks.
• Use the same hacked account/password on other sites.
• Collect personal information that they may be able to sell on other sites.
• Ransomware attempt.

It is not uncommon for popular WordPress websites to receive hundreds or even thousands of attacks every day.
These attacks can seriousy damage your reputation if they are allowed to succeed.
By using the guardgiant security plugin, these bruteforce attacks will be met with extremely strong counter-measures
to ensure the security of your WordPress website.

How can I view login activity on my website

The security audit log provides relevant information from the past 30 days.
You can filter security log entries by:

1. Time period for all log entries you wish to see.

2. Whether the users device was trusted or not.

3. The type of security event you wish to see:

• Successful logins to your website.
• Failed logins to your website.
• All authorization attempts.

1. Search log entries by IP address.

2. Search log entries by username.

The time and date of each security event is shown along with username, IP address, IP location, Device type and outcome/message.

How do I access the security log

• First go to your WordPress Dashboard. Choose „guardgiant” in the lefthand menu.
• Select the activity Log.

How to change the settings for brute force protection

Login to the WordPress dashboard and select GuardGiant from the left hand menu.
The Prevent Brute Force Attacks tab is shown. You can choose to:

• Lockout user accounts for a specified time period.
• Option to never lockout accounts when a user is using a trusted device.
• Option to send users a security alert when there is a successful login from an unrecognized device.

For bruteforce attacks from specific IP addresses you can:

• Display a captcha after a specified number of failed login attempts.
• Block the IP address after a certain number of failed attempts (for a specified number of minutes).
• Option for a progressive block where the time increases with each failed attempt.

Should I disable XMLRPC?

The XML-RPC (XML Remote Procedure Call) functionality in WordPress has become a backdoor for hackers trying to exploit a WordPress installation.
It allows your site to be updated with a single command triggered remotely.

It is recommended to disable this feature to reduce the attack surface of your site.

Should I enable google reCaptcha

Google reCaptcha provides a barrier that helps to stop brute force attacks. However, the user experience is somewhat worsened by asking to select traffic lights every time they log in.

The beauty of this security plugin is that google reCaptcha is only to deployed to specific IP addresses and only after a user defined number of failed login attempts.
This is another way that GuardGiant implements brute force protection without disturbing genuine users.

Can I 'whitelist’ certain IP addresses

Yes, GuardGiant supports IP address whitelists. For instance, you can whitelist the IP address of your office to ensure you always have access.

Caution is urged when using whitelists as they can provide an attack vector for brute force hackers.

Can I 'whitelist’ certain users

Yes, you can whitelist individual users so that their accounts are never locked out.

Caution is urged when using whitelists as they can provide an attack vector for brute force hackers.

Why should I obfuscate error messages

By default, WordPress login error messages indicate whether a valid username has been entered.
Attackers can use this functionality to harvest a list of usernames that are then used as part of a brute force attack.
Modern security implementations now recommend a generic 'incorrect username/password’.

This security plugin implements obfuscation of login errors.

Why do I need to limit login attempts

By default, WordPress does not track or limit the number of failed login attempts that can be made.
Without a security plugin or means to prevent brute force attacks, an attacker can try many thousands of login attempts in rapid succession to try to gain access.
It is important to note that the legacy approach of simply locking out users after a number of failed attempts is a poor solution that causes user frustration and can easily be exploited in a DDOS attack.

This security plugin implements modern best practice by tracking the devices that users log on with to ensure real users are never impacted.