In the Feature Spotlight posts, we highlight a feature in Solid Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today, we will cover Local Brute Force Protection and Banned Users, two great features of the Solid Security Pro plugin.
3 Reasons You Need Brute Force Protection with Banned Users to Secure Your WordPress Site
The WordPress login is the most attacked part of any WordPress website. There are three main reasons that the WP login is such a popular target for attackers:
- The WordPress login URL is the same for every WordPress site. Anyone with experience working with WordPress knows the default login URL for WordPress is located on the
/wp-login.phppage. Remember that even if you use a plugin to change the URL where you keep your login form, it will not change how you log in using the command line. Most attacks on the WordPress login will use a terminal and not a web browser. - WordPress doesn’t limit the number of invalid login attempts. By default, there isn’t anything built into WordPress to limit the number of failed login attempts someone can make. Without a limit on the number of failed login attempts an attacker can make, they can keep trying an endless amount of usernames and passwords until they are successful.
- Brute force attacks require no skill. Brute force attacks refer to a trial and error method for discovering username and password combinations to hack into a website. Any beginner-level hacker can create a bot that scours the internet looking for WordPress login pages. Or you can use one of the many open-source brute force applications.
For these three reasons, you need brute force protection and the ability to ban users to secure your WordPress site.
What Is Brute Force Protection and Banned Users?
Your WordPress login is a lot like the front door of your house. Without a lock on your front door, it would be easy for anyone to walk right into your home, start moving your furniture around, smash your stuff, and steal your TV. It only makes sense to add a lock to your front door to make it harder for a would-be thief to break into your home.
As we mentioned earlier, WordPress doesn’t limit the number of invalid login attempts someone can make. This means that a bot can spend all of eternity guessing random combinations of usernames and passwords until they finally brute force their way into the backend of your website.
The Solid Security Pro plugin creates a “lock” to add to your WordPress login. This lock is designed to prevent would-be attackers from being able to walk right into the backend of your website, change your pages, steal your customer’s information, or take control of your website.
The Solid Security Pro Local/Network Brute Force Protection and Banned Users settings work in tandem to secure and protect the most attacked part of your website, the WordPress Login.
2 Types of Brute Force Protection in Solid Security Pro
There are two types of brute force protection in Solid Security Pro. You need both for a double wall of protection for your site:
- Local Brute Force Protection – Local brute force protection looks at attempts to access your website and bans suspicious users.
- Network Brute Force Protection – Network brute force protection allows you to join a community and is over ONE MILLION websites strong. If an IP is identified as trying to break into websites in the Solid Security community, the IP will get added to the Network Bruce Force banned list.
1. Local Brute Force Protection
Solid Security actively monitors invalid login attempts made to your website to watch for potential brute force attacks. Local Brute Force Protection is the first type of brute force protection that keeps track of invalid login attempts made by a host or IP address and a username.
Once an IP or username has made too many consecutive invalid login attempts, they will get locked out and be prevented from making any more attempts for a set period.
2. Network Brute Force Protection
Network Brute Force Protection takes this a step further. The network is the Solid Security community and is over a million websites strong. If an IP is identified as trying to break into websites in the Solid Security community, the IP will get added to the Network Bruce Force banned list.
Once an IP is on the Network Brute Force banned list, the IP be blocked on all websites in the network. So, if an IP attacks my website and gets banned, it will be reported to the Solid Security Brute Force Network. My report can help to get the IP banned on the entire network. I love that I can help secure other people’s WordPress sites by enabling Solid Security’s Network Protection.
Activate the SolidWP Brute Force Protection Network to join 1 million other websites and unite against malicious IPs attacking WordPress sites worldwide. You’re doing your part to secure not only your website but helping protect other people’s websites, too.
How Banned Users Work with Brute Force Protection
The Solid Security Pro Banned Users feature keeps track of IP lockouts. Once an IP has become a repeat offender, Solid Security Pro will add the IP to the Banned Hosts list and prevent the IP from being able even to view your website, let alone try to log in.
It is important to remember that there is no way to prevent an attack from occurring on your website; the important thing is to prevent those attacks from being successful.
How To Use Local/Network Brute Force Protection and Banned Users in Solid Security Pro
First off, get Solid Security Pro. Install and activate the plugin on your WordPress site using the normal WordPress plugin activation methods.
To get started using the Local and Network Brute Force Protection and Banned Users features, navigate to the Security Settings’ Features menu and enable them.
The Local Brute Force Protection Settings
Let’s look at the Local Brute Force Protection settings now.
- Automatically ban “admin” user – When enabled, anyone using the Admin username when logging in receives an automatic lockout.
- Max Login Attempts Per Host – The number of invalid login attempts an IP is allowed before it gets locked out.
- Max Login Attempts Per User – This is the number of invalid login attempts a username is allowed before it gets locked out.
- Minutes to Remember Bad Login – This is how long an invalid login attempt should count against an IP or username for a lockout.
There are a couple of things that you want to keep in mind when you are configuring your lockout settings. You will want to allow more invalid login attempts per user than you allow per host or IP. Let’s say your website is under a brute force attack, and the attacker uses your username. The goal is to lock out the attacker’s IP, not your username,w so you can still log in and get work done, even when your website is under attack.
You also don’t want to make these settings too strict by setting the number of invalid login attempts too low and the time to remember invalid attempts too long. Suppose you lower the number of invalid login attempts for hosts/IPs to 1 and set the minutes to remember a bad login attempt to a month. In that case, you drastically increase the likelihood of inadvertently locking out legitimate users.
The Network Brute Force Protection Settings
Let’s go to the Network Brute Force Protection settings now.
To get your Brute Force Network license key, enter your email address, choose whether or not you want to receive email updates, and click the Save button.
After saving the settings, you will see a couple of new options.
- Ban Reported IPs – Automatically ban IPs reported as a problem by the network.
- Reset API Key – Resetting the API key will deactivate your Network Brute Force license.
The Banned Users Settings
Now, let’s find the Banned Users settings.
- Default Ban List – Solid Security will use
hackrepair.com‘s blocklist to ban known bad actors from your website when enabled. - Limit Banned IPs in Server Configuration Files – Limiting the number of IPs blocked by the Server Configuration Files (
.htaccessandnginx.conf) will help reduce the risk of a server timeout when updating the configuration file. - Ban User Agents – User agents in this list cannot access your website.
You can view the banned host lists and manually add IPs to the banned list on the Security Dashboard from the Banned Users card.
Why would I want to limit the number of banned IPs in my server config file?
Limiting the number of IPs blocked by the Server Configuration Files (.htaccess and nginx) will help reduce the risk of a timeout when the server updates these files.
Every time a file is updated, the server will rewrite the whole file. If you have an .htaccess file with 200 banned IPs and a new IP is added to your banned list, the server will have to rewrite all 201 IPs. If you have any other server rules written to your .htaccess, those rules will have to be rewritten along with the 201 bans.
The larger your .htaccess and nginx files are, the higher the chance of a server timeout when they’re updated. This is especially true when your website is under attack, and your server has to update your server config file multiple times to keep up with all the new IPs.
What happens if I have more banned IPs than allowed in my server config file?
If the number of IPs in the banned list exceeds the Server Configuration File limit, the additional IPs will be blocked using PHP.
One thing to remember when setting the Limit Banned IPs in Server Configuration Files option is that blocking IPs at the server level is more efficient than blocking IPs at the application level using PHP. However, the result of both methods is the same… bad guys get blocked from accessing your website.
One quick note. I wouldn’t spend too much of your time worrying about or monitoring lockouts or bans that occur on your website. Solid Security Pro automates all of this for you, so you can spend time on activities that make you money.
Get Solid Security Pro Today!
By default, there isn’t anything built into WordPress to limit the number of failed login attempts someone can make. Without limiting the number of failed login attempts an attacker can make, they can keep trying an endless number of usernames and passwords until they are successful.
The Solid Security Pro Local and Network Brute Force Protection and Banned Users settings work together to secure and protect the most attacked part of your website, the WordPress Login. Get Solid Security Pro today to secure and protect your site from brute-force attacks.
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Join us for the next Solid Academy Webinar!
Free weekly webinars that will help you master WordPress and increase your business's bottom line.
What is a WordPress Phishing Attack?
Learn how to identify and prevent phishing attacks on WordPress websites.
Kiki SheldonWebsite Protection: 5 Ways to Keep Your Website Safe
Robust website protection is the shield that stands between your business and relentless cyber attacks. Prioritizing website protection enables businesses to fortify defenses to safeguard their online presence and preserve the trust of their customers in the face of ever-evolving cybersecurity threats.
Kiki Sheldon23 Ideas To Grow Your WordPress Business in 2023
WordPress is the most popular website-building platform worldwide, trusted by numerous brands. WordPress enables you to build a user-friendly and highly reliable site, together with tools and plugins to enhance your marketing and work like a lead magnet. All these features make WordPress the platform chosen by more than 43% of businesses globally.
SolidWP Editorial TeamSign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed
