How to use cookie-based brute force login attack prevention feature

A Brute Force Login Attack is one way in which a hacker tries to gain entry. This is when the attacker will keep on trying to guess the password for a WordPress account, all the while assuming that they know the username. This can be done manually or with a script.

A Firewall feature that involves user accounts, that is considered “Intermediate” and adds another 20 points to the Security Strength Meter, is the ‘Cookie-Based Brute Force Login Prevention’ feature.

While repeated failed attempts at guessing a WordPress username and password combination could get an IP Address locked out, it also takes up valuable server resources. Especially when there are repeated attempts concurrently (from malicious automated robots), this has a negative impact on the server’s memory and performance.

Basically what it does is hide the default WordPress login page from the public. If they cannot access the login page, they cannot login.

The way it works essentially is: you specify a “secret word” to the plugin, which creates a special URL. The special (secret) URL, when visited, deposits a cookie on the computer which, when present, allows that individual to visit the WordPress login page as usual. Without knowledge of the special URL (i.e. having the cookie), the user will be redirected to a different IP Address or URL that you configure. This could be to any site on the web but the default is http://127.0.0.1 which represents the local machine of the web site visitor.

Don’t worry, if there are password protected posts or pages on the site, there is a provision in place that prevents visitors needing access to that content from needing to know the special URL. Turning this on however, could provide a new backdoor to the login page for those that know the location of these pages (most often it won’t be hackers though). Only turn on this feature when necessary, none the less.

Below are the quick steps for implementing the cookie based brute force login attack prevention feature for WordPress.

1. Firstly, install the WordPress security plugin, AIOS
2. Go to WP Security >> Firewall >> Brute Force Prevention once the plugin in installed and activated.
3. Scroll to the bottom of the page to do a quick cookie test to make certain that this feature will in fact work for you on the machine that you are using. Click the Perform Cookie Test button.
4. Next, put a check-mark in the box to Enable Brute Force Attack Prevention.
5. Create a Secret Word which will be used for the secret URL, which in turn creates the cookie that authorizes access to WordPress login URL when visited.
6. You are probably done at this point and you can save your changes. Optionally modify the Re-direct URL if you want to be clever. And if your site does in fact have password protected posts or pages, check the option for My Site Has Posts Or Pages Which Are Password Protected.

For AIOS version 5.1.6 or greater edit your wp-config file and add:

define('AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION', true);

Before the line:

/* That’s all, stop editing! Happy publishing. */

For older versions (5.1.5 or less) navigate to wp-content\uploads\aios\firewall-rules\settings.php in your WordPress installation and modify the following line:

aios_enable_brute_force_attack_prevention:"1"

Remove the digit 1, leaving empty quotes like so:

aios_enable_brute_force_attack_prevention:""

Once disabled, log back into your WordPress site and change the setting that you identified above that is causing you to be locked out.