Introducing WordPress Protect: Enhanced Brute Force Login Protection

Over the holidays, our system admins were busy behind the scenes launching a new application known as WordPress Protect, which provides for more robust protection for WordPress websites. WordPress Protect joins our ever growing security suite which is part of our new hosting platform.

The Issue

With WordPress accounting for over 30% of the total websites on the internet, it has become a significant target for malicious activity. In fact, back in 2013, our industry faced one of the largest and well organized targeted attacks to WordPress installations utilizing an attempt known as Brute Force.

Unfortunately, WordPress does not have built-in protection against these types of attacks and so we worked to develop custom ModSecurity rules and in 2016 developed a rudimentary CAPTCHA-based system to aid in slowing down these malicious attacks.

This process allowed our system administrators to take action to limit the impact to our customers and their legitimate traffic while protecting their websites. Unfortunately, as a side-effect caused confusion by introducing a second login prompt which our customers understandably didn’t care for. This forced us to actively work on a cleaner solution behind the scenes.

The Solution: WordPress Protect

It’s with that effort that our system administrators in conjunction with some of our third-party vendors managed to create what we feel is a superior solution that not only better protects our customers but has also helped to reduce overall server load resulting in a faster & more stable hosting experience for all customers.

During 2017 we actively tested the new solution on a small segment of our network and found that our WordPress Protect suite filtered out over 180,000 attempts daily (a little over 54 million attempts per month) while reducing page load times by up to 13% due to the filtering occurring pre-connection to the customers’ website.

Our findings were further verified after receiving praise from our customers:

“It’s comforting to see that our website is being pro-actively protected against brute force attacks, especially since it doesn’t impede on our day to day.”

“In the past, whenever there was an attack I would have to use the annoying captcha to log into my WordPress site. Now the blocks are happening without me even knowing.”

“I have resorted to using plugins that block these types of attacks, but since you all have activated WordPress Protect, I have seen a decrease in attempts via the plugin stats and decreased page load speeds. Win-win.”

So How Does It Work?

WordPress Protect is automatically enabled for every hosting account on our platform and does not require customers action to enable/disable the protection.

Our system will track failed login attempts over a specified timeframe using a quota-based system for the following pages: xmlrpc.php and wp-login.php. In the event that a connection fails to login 10 times (across our entire network), we will begin to throttle that connection, where page loads will take 30 seconds. Those connections that do not fail, will not be throttled.

So to put it into layman’s terms, if there is a brute force attempt happening anywhere on our network, our system will automatically shut them down while you, the legitimate user will continue to use your website without issue.

What’s to come

As we work to evolve WordPress Protect, we will bring additional features that will allow customers to have greater control of how connections are filtered for their hosting accounts.

We look forward to hearing more positive feedback from our customers as we continue to enhance and expand our security suite options. Feel free to comment below.


13 thoughts on “Introducing WordPress Protect: Enhanced Brute Force Login Protection”

  1. Kaumil, thanks for letting us know about this new security measure. Does this replace the login code that was added to the .htaccess file? If so, will the techs be cleaning up the old login code from .htaccess files that have been modified?

  2. Hi there,

    Yes, this replaces the login code that was added to the .htaccess file. Our technicians will clean up the old login code from the .htaccess once they have enabled it on your server. We are working through them now.

    For now, I would suggest to keep it as-is.

  3. This is a good move, thanks greengeeks. Many of our wordpress account holders found the .htaccess login very problematic and we spent many hours of technical support for them. How will we know when the change is completed?

    1. Hi, I’m glad that this will alleviate the frustration caused by the .htaccess login. You’ll be notified when this is enabled on your server.

    1. Hello Wayne,

      Thank you for the feedback. I will pass this along to our development team. While WordPress Protect is specifically for WordPress, we do have a wide range of real-time ModSecurity rules that protect Joomla-built websites.

  4. We currently use iThemes Security and WP Security Audit Log plugins on our multisite WordPress – is there any issues with this new service and these plugins?

    1. Hi Ric,

      Since WordPress Protect works by filtering at the start of the connection, it shouldn’t be an issue. If you have any questions or concerns, feel free to open a support ticket with our technical support team.

  5. Will this have an effect on the official Jetpack plug-in from WordPress? Since I have enabled it, it sometimes reports that my site is not available, which I know is not the case. Could be that the longer Page load times are affecting it?

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.