UpdraftPlus
Back up, restore and migrate your WordPress website with UpdraftPlus
A Brute Force Login Attack is one way in which a hacker tries to gain entry. This is when the attacker will keep on trying to guess the password for a WordPress account, all the while assuming that they know the username. This can be done manually or with a script.
A Firewall feature that involves user accounts, that is considered “Intermediate” and adds another 20 points to the Security Strength Meter, is the ‘Cookie-Based Brute Force Login Prevention’ feature.
While repeated failed attempts at guessing a WordPress username and password combination could get an IP Address locked out, it also takes up valuable server resources. Especially when there are repeated attempts concurrently (from malicious automated robots), this has a negative impact on the server’s memory and performance.
Basically what it does is hide the default WordPress login page from the public. If they cannot access the login page, they cannot login.
The way it works essentially is: you specify a “secret word” to the plugin, which creates a special URL. The special (secret) URL, when visited, deposits a cookie on the computer which, when present, allows that individual to visit the WordPress login page as usual. Without knowledge of the special URL (i.e. having the cookie), the user will be redirected to a different IP Address or URL that you configure. This could be to any site on the web but the default is http://127.0.0.1 which represents the local machine of the web site visitor.
Don’t worry, if there are password protected posts or pages on the site, there is a provision in place that prevents visitors needing access to that content from needing to know the special URL. Turning this on however, could provide a new backdoor to the login page for those that know the location of these pages (most often it won’t be hackers though). Only turn on this feature when necessary, none the less.
Below are the quick steps for implementing the cookie based brute force login attack prevention feature for WordPress.
For AIOS version 5.1.6 or greater edit your wp-config file and add:
define('AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION', true);
Before the line:
/* That’s all, stop editing! Happy publishing. */
For older versions (5.1.5 or less) navigate to wp-content\uploads\aios\firewall-rules\settings.php in your WordPress installation and modify the following line:
aios_enable_brute_force_attack_prevention:"1"
Remove the digit 1, leaving empty quotes like so:
aios_enable_brute_force_attack_prevention:""
Once disabled, log back into your WordPress site and change the setting that you identified above that is causing you to be locked out.
Try TeamUpdraft’s full suite of WordPress plugins.
Back up, restore and migrate your WordPress website with UpdraftPlus
Speed up and optimize your WordPress website. Cache your site, clean the database and compress images
Secure your WordPress website. Comprehensive, feature rich and easy to use
Centrally manage all your WordPress websites’ plugins, updates, backups, users, pages and posts from one location