In the Feature Spotlight posts, we highlight a feature in iThemes Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today we are going to cover Local Brute Force Protection and Banned Users, two great features in the iThemes Security Pro plugin.
The iThemes Security Pro Local/Network Brute Force Protection and Banned Users settings work in tandem to secure and protect the most attacked part of your website, the WordPress Login.
Why We Developed Local Brute Force Protection & Banned Users
The WordPress login is the most attacked part of any WordPress website. There are three main reasons that the WP login is such a popular target for attackers:
- The WordPress login URL is the same for every WordPress site. Anyone with experience working with WordPress knows the default login URL for WordPress is located on the
/wp-login.phppage. Keep in mind that even if you use a plugin to change the URL of where you keep your login form, it will not change how you would login using the command line. Most attacks on the WordPress login will use a terminal and not a web browser.
- WordPress doesn’t limit the number of invalid login attempts. By default, there isn’t anything built into WordPress to limit the number of failed login attempts someone can make. Without a limit on the number of failed login attempts an attacker can make, they can keep trying an endless amount of usernames and passwords until they are successful.
- Brute force attacks require no skill. Brute force attacks refer to a trial and error method used to discover username and password combinations to hack into a website. Any beginner-level hacker can create a bot that scours the internet looking for WordPress login pages. Or you can just use one of the many open-source brute force applications that have already been created.
Your WordPress login is a lot like the front door of your house. Without a lock on your front door, it would be easy for anyone to just walk right into your home, start moving your furniture around, smashing your stuff, and stealing your TV. It only makes sense to add a lock to your front door to make it harder for a would-be thief to break into your home.
We decided we needed to create a lock that iThemes Security users could add to their WordPress login. This lock is designed to prevent would-be attackers from being able to walk right into the backend of your website, changing your pages, stealing your customer’s information, or taking control over your website.
What Is Local/Network Brute Force Protection & Banned Users?
As we mentioned earlier, WordPress doesn’t limit the number of invalid login attempts someone can make. This means that a bot can spend all of eternity guessing random combinations of usernames and passwords until they finally brute force their way into the backend of your website.
The iThemes Security Pro Local Brute Force Protection feature keeps tracks of invalid login attempts made by a host or IP address and a username. Once an IP or username has made too many consecutive invalid login attempts, they will get locked out and will be prevented from making any more attempts for a set period of time.
Limiting login attempts is all about local brute force protection. Local brute force protection looks only at attempts to access your site and bans users per the lockout rules specified in your security settings.
Network Brute Force protection takes this a step further. The network is the iThemes Security community and is over a million websites strong. If an IP is identified as trying to break into websites in the iThemes Security community, the IP will get added to the Network Bruce Force banned list.
Once an IP is on the Network Brute Force banned list, the IP be blocked on all websites in the network. So, if an IP attacks my website and gets banned, it will be reported to iThemes Security Brute Force Network. My report can help to get the IP banned on the entire network. I love that I can help to secure other people’s WordPress login just by enabling the iThemes Security Network Protection.
The iThemes Security Pro Banned Users feature keeps tracks of IP lockouts. Once an IP has become a repeat offender, iThemes Security Pro will add the IP to the Banned Hosts list and prevent the IP from being able even to view your website, let alone try to login.
It is important to remember that there is no way to prevent an attack from occurring on your website; the important thing is to prevent those attacks from being successful.
How To Use Local/Network Brute Force Protection & Banned Users in iThemes Security Pro
To get started using the Local & Network Brute Force Protection and Banned Users features, navigate to the security settings’ Features menu and enable them.
The Local Brute Force Protection Settings
Let’s the Local Brute Force Protection cogwheel to take a look at the settings.
- Automatically ban “admin” user – When enabled, anyone using the Admin username when logging in receives an automatic lockout.
- Max Login Attempts Per Host – The number of invalid login attempts an IP is allowed before it gets locked out.
- Max Login Attempts Per User – This is the number of invalid login attempts a username is allowed before it gets locked out.
- Minutes to Remember Bad Login – This is how long an invalid login attempt should count against an IP or username for a lockout.
There are a couple of things that you want to keep in mind when you are configuring your lockout settings. You will want to give move invalid login attempts to users than you give IPs. Let’s say your website is under a brute force attack and the attacker using your username. The goal is to lock out the attacker’s IP and not your username, so you will still be able to login and get work done, even when your website is under attack.
You also don’t want to make these settings too strict by setting the number of invalid login attempts too low and the time to remember invalid attempts too long. If you lower the number of invalid login attempts for hosts/IPs to 1 and set the minutes to remember a bad login attempt to a month, you are drastically increasing the likelihood of inadvertently locking out legitimate users.
The Network Brute Force Protection Settings
Let’s the Network Brute Force Protection cogwheel to take a look at the settings.
To get your Brute Force Network license key, enter your email address, choose whether or not you want to receive email updates and then click the Save button.
After saving the settings you will have see a couple of new options.
- Ban Reported IPs – Automatically ban IPs reported as a problem by the network.
- Reset API Key – Resetting the API key will deactivate your Network Brute Force license.
The Banned Users Settings
Now let’s the Banned Users cogwheel to take a look at the settings.
- Default Ban List – When enabled, iThemes Security will use the hackrepair.com’s blocklist to ban known bad actors from your website.
- Limit Banned IPs in Server Configuration Files – Limiting the number of IPs blocked by the Server Configuration Files (.htaccess and nginx.conf) will help reduce the risk of a server timeout when updating the configuration file.
- Ban User Agents – User agents in this list will not be allowed to access your website.
You can view the banned host lists and manually add IPs to the banned list on the Security Dashboard from the Banned Users card.
Why would I want to limit the number of banned IPs in my server config file?
Limiting the number of IPs blocked by the Server Configuration Files (.htaccess and nginx.conf) will help reduce the risk of a timeout when the server updates these files.
Every time a file is updated, the server will rewrite the whole file. This means that if you have an .htaccess file with 200 banned IPs and you have a new IP added to your banned list, the server will have to rewrite all 201 IPs. If you have any other server rules written to your .htaccess, those rules will have to be rewritten along with the 201 bans.
The larger your .htaccess or nginx.conf files are, the higher the chance of a server timeout when they are updated. This especially true when your website is under attack, and your server has to update your server config file multiple times to keep up with all of the new IPs.
What happens if I have more banned IPs than allowed in my server config file?
If the number of IPs in the banned list exceeds the Server Configuration File limit, the additional IPs will be blocked using PHP.
One thing to keep in mind when setting the Limit Banned IPs in Server Configuration Files option is that blocking IPs at the server level is more efficient than blocking IPs at the application level using PHP. However, the end result of both methods is the same… bad guys get blocked from accessing your website.
One quick note. I wouldn’t spend too much of your time worrying about or monitoring lockouts or bans that occur on your website. iThemes Security Pro automates all of this for you, so you can spend your time on activities that make you money.
By default, there isn’t anything built into WordPress to limit the number of failed login attempts someone can make. Without a limit on the number failed login attempts an attacker can make, they can keep trying an endless number of usernames and passwords until they are successful.
The iThemes Security Pro Local & Network Brute Force Protection and Banned Users settings work in tandem to secure and protect the most attacked part of your website, the WordPress Login.
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.