If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site, they eventually would, right?
This method of attack, known as a brute force attack, is something that WordPress is acutely susceptible to by default, as the system doesn't care how many attempts a user makes to log in. It will always let you try again. Enabling login limits will ban the host user from attempting to log in again after the specified bad login threshold has been reached.
Solid Security uses two different methods of WordPress brute force protection: Local and Network.
- Local Brute Force protection looks only at attempts to access your site.
- Network Brute Force protection takes it a step further by banning users who have tried to break into other sites from also breaking into yours.
Local Brute Force
Local Brute Force provides protection against attempts to access your site where the attacker tries to guess usernames and passwords over and over again. The attackers are banned per the lockout rules specified locally on your WordPress site.
Automatically Ban "admin" User
Bans any login attempts that use the "admin" username.
Max Login Attempts Per Host
The number of login attempts a user has before their host or computer is locked out of the system. Set to 0 to record bad login attempts without locking out the host.
Max Login Attempts Per User
The number of login attempts a user has before their username is locked out of the system. Note that this is different from hosts (IPs) in case an attacker is using multiple computers. In addition, if they are using your login name, you could be locked out yourself.
Set to 0 to log bad login attempts per user without ever locking the user out (this is not recommended).
Minutes to Remember Bad Login(check period)
The number of minutes in which bad logins should be remembered.
Network Brute Force
Enabling this module allows you to leverage the power of the Solid Security Brute Force Protection Network. This will automatically report the IPs of the failed login attempts to Solid Security and will block them for the length of time necessary to protect your site based on the number of sites that have seen a similar attack.
To activate the Network Brute Force Protection, enter your email address to get your free API key.
Receive Email Updates
Sends a copy of the weekly WordPress Vulnerability Report and other WordPress security updates to the registered email address.