Protect Your Wordpress Installation From Brute Force Attack
Wordpress by default is not protected from Brute Force or Dictionary attacks. It is because there is no limit how many times a user can try invalid passwords before finding the correct one. So a Brute Force attacker can easily launch successive login requests with large pool of words. I was doing a bit of search to find a solution to it. As usual, Wordpress plugins came to my rescue. And interestingly, I have found a few plugins that can do the work for you, but using a bit of different mechanism.
Login LockDown is such a one. It records IP address of the login request. If a certain number of failed attempts are made from same IP range, it disables login function for that range. The default is set to 1 hour block for an IP, after 3 failed attempts are made within 5 minutes. But you can always change it & save your own preference via Options panel. Even as an administrator, you can manually release locked out IP ranges from the panel.
Another is User Locker. It lets you specify the maximum number of invalid login attempts. If the user exceeds it, his account gets locked. It can only be unlocked by requesting new password from Lost Password option or by asking admin to help. It also lets you disable selected user accounts. Users can’t log in then, even if they know correct password. This is very effective if you want to ban spam users in a community blog.
Related posts:
