I recently received a hat tip from a happy user of the BruteProtect plugin and decided to give it a try myself. The only configuration that is necessary for BruteProtect is to apply a free API key to communicate with the service. If you’re using the Limit Login Attempts plugin to block unsuccessful login attempts, you’ll need to disable it as there is no need to run both plugins. The idea behind BruteProtect is very similar to how Akismet operates. I got in touch with Sam Hotchkiss, one of the lead developers behind the plugin/service to describe how it works.
BruteProtect is sort of like Akismet, but for your WP login– we track failed logins across a large number of WordPress sites, then analyze that data to find patterns and identify attack bots. The larger our installed base, the more data we have to work with– this results in more complete protection for site owners and fewer false positives. To date, we’ve blocked over 1.3 million malicious login attempts from over 131,000 IP addresses.
The more people that use BruteProtect, the better protected its users are. The blocking and logging happens behind the scenes. However, there is a new dashboard widget that is created that shows off the number of blocked login attempts and just within the time span of writing this review, it’s blocked 72 of them. Sam has told me that they are working on big updates that will be available shortly.
BruteProtect comes from the same folks that are behind QuickForget.com. QuickForget gives you a secure way to send passwords, credit card numbers, SSNs, etc.
Wow. I *REALLY* wish I would have known about this plugin a few weeks ago. We manage many blogs for many clients and while we have never lost a site (yet), some brute force hackers have been having a heyday on a couple of our sites…one in particular they have become extra fond of (I have no idea why, it’s nothing special, primarily a lead generation site).
I use the WP Better Security plugin along with a visual captcha (and a couple .htaccess hacks of my own). The plugin is set to ban the IP after just 2 failed login attempts. So far it has blocked over 5,000 separate individual login attempts in less than 2 weeks (and the list is still growing as I type this). The plugin simply reports a “418” denial error to visitors of blocked IP’s and nothing further is logged in the admin area. They’ve been HAMMERING on this site for days and days, non-stop. Our server access logs are endless with thousands and thousands of “418” denial errors to IP’s trying to post to /wp-login.php …the site is still holding strong.
There is an up-side to this…
The up-side is I’ve now accumulated the list of IP’s for an elaborate global BOT-net. How wonderful it would be to the world if this IP list had been added to the BruteProtect data.
Maybe there’s a way I can still make that happen.
Thanks for sharing.
-Mike