37 Comments

  1. Miroslav Glavić

    So now there is brute force attacks functionality, there is a contact form functionality…

    Should I delete the brute force plugin I have, same for contact form? What is better for my site?

    Report

  2. Ken Pyle

    This is terrific! Thank you Automattic!

    Report

  3. Miroslav Glavić

    Ok so I tried it. I like it. It would of been better if it told me the IPs from the attackers, maybe even the location (city & country). I like those stats.

    Report

  4. dennis

    Will i have a statistic somewhere that shows how many and which IPs got blocked? Didn’t find anything in the wp backend.

    Report

    • Stephen Quirk

      Hello,
      I was on the BruteProtect team and am now work on Jetpack. You can see the total attack account on the Jetpack Dashboard Widget, though we don’t display specific blocked IPs.

      Report

  5. Kev

    OK so question, I have my admin password protected so you need to enter a login name and password just to get to the admin login… will jetpack still be able to protect my login from brute force?

    Also I block all IP’s excepts those I whitelist in my htaccess file, which is a pain bc/ most IP’s myself and clients work from are dynamic and change. I would assume with the new brute force protection it is ok to stop this practice?

    Not understanding the new Whitelist IP box, why would I ever need to whitelist my IP? and how the heck can I whitelist it if there is an issue and I can’t even get to the login page? Thanks!

    Report

  6. Alan Kellogg

    I’ll wait until 3.4.1 is ready. 3.4 seems to have a beef with Weaver Extreme.

    Report

  7. pete

    Can this module be used with custom login pages?

    Report

  8. BlakeD

    Anyone else getting the white screen of death when upgrading to 3.4? Keeps happening and it’s definitely Jet Pack.

    Report

  9. dipakcg

    Awesome! Thank you Automattic!

    Report

  10. Scott Winterroth

    I take it I no longer need to use the Limit Login Attempts plugin with this Brute Protect feature?

    Report

    • Dan Knauss

      Same question here. It looks like JetPack Protect doesn’t let you specify the number of logins to block before creating a permanent ban nor does it indicate how long that ban will last.

      Report

      • Scott Winterroth

        Noticed that myself. Kind of scary that if you have a false positive that you would have to deactivate the entire suite of plugins within JetPack to be able to access your site. Not sure if I’m sold yet. No to mention, if you somehow blocked your own IP there’s really no way to enter it into the approved list once it is blocked. ?

        Report

      • Samuel "Otto" Wood

        Actually, if you fail the check, it shows a CAPTCHA for you to solve before allowing you to login. You don’t just get locked out with no options, it just asks you to solve a math problem. Correctly solve the math problem and it will let you log in.

        Report

      • Scott Winterroth

        Ok, thank you so much for the clarification.

        Report

      • Stephen Quirk

        You can also whitelist your IP address by navigating to WordPress.com>My Sites>Settings>Security. This is one of the nice advantages to moving to Jetpack and connecting to WordPress.com.

        Report

      • Samuel "Otto" Wood

        Dan, it doesn’t allow you to specify how many logins before a block because that’s not how it works.

        The idea isn’t to block based on how many times they try to log into your site, but based on them logging into *everybody’s* sites. For every login attempt performed, the IP is sent back to a central service. That service analyses the pattern as a whole, and blocks accordingly.

        These mass login attempts come from botnets. And while each individual computer on some big bot net may try to log into your particular site only once or twice, it will still go and try to log into other sites all around the world. When this starts happening, that mass pattern of failed logins coming from the IPs of the botnet machines can be seen by the service, and it can then take steps to block them on all the rest quickly, frustrating the effort of the botnet.

        Think of it like Limit Login Attempts, but with the login attempt info shared amongst all participants. Some will still get hit, but once the service as a whole determines that it’s a bot, then it can block it amongst all the rest immediately.

        Report

      • Dan Knauss

        Thanks, that makes sense. I was thinking more about IPs that haven’t been seen before and how they’re handled once identified — are they permanently blocked, blocked for a certain time period, or blocked until someone passes a CAPTCHA? If an IP gets on the ban list, what are the conditions for its removal?

        Report

  11. Thorir Vidar

    Jetpack does it again..
    “The following new modules have been activated..”

    This is might be a good thing for some users, perhaps even the majority of Jetpack users, and judging by Samuel’s explanation above it certainly sounds like a clever approach to the problem. But personally I’d appreciate if a plugin asked me before changing the settings on my site.

    At the very least check if there is another Brute Force Protect plugin around, which there are in many cases.

    Report

  12. Alessandro Tesoro (@ThemesDepot)

    Does this jetpack module has some sort of api/functions/hooks that can be used to integrate it’s functionalities within a custom login form? I’m using wp_login_form() and i’ve also added ajax login to it, so i was wondering if there’s any way to hook into it?

    Report

  13. guileshill

    I read the thread fairly thoroughly, generally pleased to see this functionality in JetPack, but I need to know if the brute force protection is likely to cause any issues with an existing installation of the latest BPS login protection. This seems to be a simple limit on the number of attempts, so my guess is that it should be OK with the JP approach.

    Report

  14. Jacobus

    Hi Sarah, I don’t understand the whitelist function really. So what happens when you are under attack. Does Jetpack fully shut down all attempts to log in, accept the one from the whitelist?

    Report

    • Jeremy

      So what happens when you are under attack.

      In my experience, you’re almost always under attack. If your WordPress site is public, some folks will be trying to log in.

      Jetpack Protect doesn’t have different modes, it always protects your site, as long as the module is active.

      Jetpack will only block IPs that failed to log in multiple times. If one provides the right username / password combination, they’ll be able to get in, as long as they didn’t fail to provide the right credentials multiple times in a row before that.

      The whitelist is only there to allow some IPs to never be considered as malicious on your own site. If you never remember your password on your own site and usually have to try a lot of username/password combinations before to be able to get in, then the whitelist is for you!

      The whitelist is also useful when you always access your site from the same IP. It allows you to make sure that you’ll never be blocked by mistake.

      Report

  15. Rocky

    How does the Protect module define “malicious login attempts”? I see the module reporting on my dashboard that several attempts have been blocked, but I do not see any login attempts in my server’s logfiles.

    Report

    • Jeremy

      A malicious login attempt is logged whenever someone tries to log in to your site and fails to provide correct log in details multiple times in a row.

      Report

Comments are closed.

%d bloggers like this: