Over the holidays, our system admins were busy behind the scenes launching a new application known as WordPress Protect, which provides for more robust protection for WordPress websites. WordPress Protect joins our ever growing security suite which is part of our new hosting platform.
With WordPress accounting for over 30% of the total websites on the internet, it has become a significant target for malicious activity. In fact, back in 2013, our industry faced one of the largest and well organized targeted attacks to WordPress installations utilizing an attempt known as Brute Force.
Unfortunately, WordPress does not have built-in protection against these types of attacks and so we worked to develop custom ModSecurity rules and in 2016 developed a rudimentary CAPTCHA-based system to aid in slowing down these malicious attacks.
This process allowed our system administrators to take action to limit the impact to our customers and their legitimate traffic while protecting their websites. Unfortunately, as a side-effect caused confusion by introducing a second login prompt which our customers understandably didn’t care for. This forced us to actively work on a cleaner solution behind the scenes.
The Solution: WordPress Protect
It’s with that effort that our system administrators in conjunction with some of our third-party vendors managed to create what we feel is a superior solution that not only better protects our customers but has also helped to reduce overall server load resulting in a faster & more stable hosting experience for all customers.
During 2017 we actively tested the new solution on a small segment of our network and found that our WordPress Protect suite filtered out over 180,000 attempts daily (a little over 54 million attempts per month) while reducing page load times by up to 13% due to the filtering occurring pre-connection to the customers’ website.
Our findings were further verified after receiving numerous praises from our customers:
“It’s comforting to see that our website is being pro-actively protected against brute force attacks, especially since it doesn’t impede on our day to day.”
“In the past, whenever there was an attack I would have to use the annoying captcha to log into my WordPress site. Now the blocks are happening without me even knowing.”
“I have resorted to using plugins that block these types of attacks, but since you all have activated WordPress Protect, I have seen a decrease in attempts via the plugin stats and decreased page load speeds. Win-win.”
So How Does It Work?
WordPress Protect is automatically enabled for every hosting account on our platform and does not require customers action to enable/disable the protection.
Our system will track failed login attempts over a specified timeframe using a quota-based system for the following pages: xmlrpc.php and wp-login.php. In the event that a connection fails to login 10 times (across our entire network), we will begin to throttle that connection, where page loads will take 30 seconds. Those connections that do not fail, will not be throttled.
So to put it into layman’s terms, if there is a brute force attempt happening anywhere on our network, our system will automatically shut them down while you, the legitimate user will continue to use your website without issue.
What’s to come
As we work to evolve WordPress Protect, we will bring additional features that will allow customers to have greater control of how connections are filtered for their hosting accounts.
We look forward to hearing more positive feedback from our customers as we continue to enhance and expand our security suite options. Feel free to comment below.