The All In One WP Security & Firewall plugin by Tips and Tricks HQ is much more than just a protection tool for the all important htaccess and wp-config files.
Among other things, there are also some basic, intermediate and advanced firewall protection strategies that can be applied to the WordPress site. These features, when turned on, will add lines to the .htaccess file which is the first file that gets executed, ultimately stopping hackers before reaching the WordPress site files.
User Login Safety Features of the Plugin
The plugin includes features that help prevent logins from hackers and malicious scripts. A Brute Force Login Attack is one such way in which a hacker tries to gain entry. This is when the attacker will keep on trying to guess the password for a WordPress account, all the while assuming that he/she/it knows the username. This can be done manually or with a script.
To prevent such attacks, not using the default “admin” user name for the Administrator account is key. Also, making sure the setting which displays the author’s name for posts (or pages) does not reveal the username is another important prevention method.
Of course, strong passwords will go a long way as well. Never use dictionary words as those are the first to be checked a lot of times. Many people suggest using a full sentence with all the punctuation and spaces as a password. Others suggest to make certain there is a good mix of lower case and upper case letters, special characters (such as #$%@&!) and numbers, in the password.
Another effective way to stop the attacks is to monitor and block IP Addresses that are involved in the repeated login attempts, which are in most cases, attacks.
There are settings in the plugin for stopping login attempts after certain criteria is met. You can set the maxium login attempts within a specific time frame, that when reached, will lock out an IP Address for the specified amount of time. You can also have it display a generic (i.e. a non-revealing) error message for failed login attempts. Lock outs can be sent to the site admin by email as well.
The above settings are considered “Basic” and add 20 points to the Security Strength Meter (the gauge used by the plugin to determine how secure a site is based on the chosen settings). You can add another 5 points by enabling another basic feature that auto-logs out a WordPress user after being logged in for a specific amount of time, say 1 hour. This makes it so that if a person leaves a machine and doesn’t come back during the specified time frame, the session will expire.
Introducing the Cookie-Based Brute Force Login Prevention Feature
Another Firewall feature that involves user accounts, that is considered “Intermediate” and adds another 20 points to the Security Strength Meter, is the ‘Cookie-Based Brute Force Login Prevention’ feature.
While repeated failed attempts at guessing a WordPress username and password combination could get an IP Address locked out, it also takes up valuable server resources. Especially when there are repeated attempts concurrently (from malicious automated robots), this has a negative impact on the server’s memory and performance.
There are new additions to the .htaccess file when implementing this feature. Basically what it does is hides the default WordPress login page from the public. If they cannot access the login page, they cannot login.
The way it works essentially is: you specify a “secret word” to the plugin, which creates a special URL. The special (secret) URL, when visited, deposits a cookie on the computer which, when present, allows that individual to visit the WordPress login page as usual. Without knowledge of the special URL (i.e. having the cookie), the user will be redirected to a different IP Address or URL that you configure. This could be to any site on the web but the default is http://127.0.0.1 which represents the local machine of the web site visitor.
Don’t worry, if there are password protected posts or pages on the site, there is a provision in place that prevents visitors needig access to that content from needing to know the special URL. Turning this on however, could provide a new backdoor to the login page for those that know the location of these pages (most often it won’t be hackers though). Only turn on this feature when necessary, none the less.
Steps for Setting up the Cookie Based Brute Force Login Attack Feature
Below are the quick steps for implementing the cookie based brute force login attack prevention feature for WordPress.
- Of course, get the plugin installed in whatever way you normally do so. Truly, the easiest way, to prevent unnecessary downloading and uploading when you already know the name of the plugin is to use the “search” feature under Plugins >> Add New. In this case, search for: All In One WP Security & Firewall.
- Go to WP Security >> Firewall >> Brute Force Prevention once the plugin in installed and activated.
- Scroll to the bottom of the page to do a quick cookie test to make certain that this feature will in fact work for you on the machine that you are using. Click the Perform Cookie Test button.
- Next, put a checkmark in the box to Enable Brute Force Attack Prevention.
- Create a Secret Word which will be used for the secret URL, which in turn creates the cookie that authorizes access to WordPress login URL when visited.
- You are probably done at this point and you can save your changes. Optionally modify the Re-direct URL if you want to be clever. And if your site does in fact have password protected posts or pages, check the option for My Site Has Posts Or Pages Which Are Password Protected.
After saving your settings, make note of the secret URL (in your mind preferred) and you are in business.
What if Something Goes Wrong When I Use this Feature?
Simply restore your htaccess file.
Hi, happy user of the security plugin, it makes life a lot easier. Two remarks:
1 – WP has one problem when hosted: the 404 page depends on a page being generated from inside WP. A random hit like “site.com/abcdef” will yield the default Apache/hosting platform page. As the plugin rewrites the .htaccess anyway, it could be interesting if there was an option to divert any 404 to a specific page (now featured in most themes).
2 – for extra login security, consider the Google Authenticator plugin (I use the Henrick Schack version). This adds a password to any login which changes every 30 seconds and once you set up the Google Authenticator app on a smartphone with your site details it will give you this password (it’s very easy – works with a barcode you scan from the screen), or for those with Firefox on the desktop, get the GAuth extension.
Cheers, Peter
@Jose, This other one doesn’t use any cookie. This one changes the WP Admin login URL of your site. Yes you can enable both these brute force prevention methods together on a site.
Hello there,
I have just seen the newly added Brute-Force feature in this last update of this week and I am wondering if you please could help me clarify its use and difference with the cookie-based brute-force prevention feature.
More specifically I would like to know if this new brute-force feature (non-cookie based) can be used in a membership site, as I cannot use the cookie-based one . And if so, what should I take into account to make sure this does not affect negatively the login of current members.
And second, for a non-membership site, where the cookie-based feature is already in place, can this new one non cookie-based feature be added as well? can be both working together, so to speak? does it make sense? or is one or the other?
Many thanks for your help and congratulations for this amazing plugin.
Jose
I see, thank you very much for your replay. I appreciate it.
Regards,
Jose
@Jose, You won’t be able to use the cookie based brute force login prevention feature if you are setting up a membership site that needs access to the wp-admin/login area by other users.
Hello there,
I am testing this plugin on a local installation and I’m loving it. Just a question about the Cookie Based Brute Force Login Attack’ Prevention Feature: I am using a membership plugin (Fastmember)…how can I avoid member users trying to log in to be redirected to the redirection url set up with this feature?
Cheers,
Jose
Hi Brian, Give me the URL of your site so I can check and make sure the brute force prevention feature is working correctly on your site. If you are using the cookie based bruteforce prevention feature then you actually do not need the login lockdown feature so you can turn this option off.
Hi,
Thanks you for this fantastic plugin, it is amazing.
I do have one questions. I have been seeing multiple site lockout notifications for my site recently from a whole range of IP addresses. The messages are always something like this:
lockdown event has occurred due to too many failed login attempts or invalid username:
Username: whatever
IP Address: 125.26.14.115
IP Range: 125.26.14.*
Log into your site’s WordPress administration panel to see the duration of the lockout or to unlock the user.
I enabled cookie-based brute force protection as I was getting nervous, but since I enabled it, I am still getting site lockout notices. I wondering how can that be if they need the cookie/secret URL to attempt to log in?
Thanks,
Brian
Hi,
Yes thank you very much, it works. I’ll read your page.
Have a nice day
@Khyriana, Restore your htaccess file and you should be good. Please take a look at the FAQ section from the following page (there is a tutorial for restoring the htaccess file)
https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
Hi,
I can not get into my admin, what should I do?
Thank you in advance
Best Regards
@Bradley, As long as you use the special URL (given to you when you setup this feature), you will be fine. The plugin will drop the cookie when you try to access the admin login screen using that secret code.
What if I reset my browser cache and all cookies are deleted? How do I regain access to my site?
@Teo, The brute force login prevention feature basically stops anyone but the admin (who knows the secret key) from accessing the wp login page. If you are running a membership site that uses wordpress’s build in login page for authentication then you can’t use this feature. The whole purpose of the feature is to stop anything from going to your wp-login form. See what I mean?
Hello,
Thank you for sharing this plugin. Please take a look at the “Brute Force Prevention Firewall Settings”, it seems to be a problem for users to access their own profile, they are redirected to the URL address set in plugin instead of seeing the account data.
Thank you
one of the BEST Security Plugin i have used in last few years, my site’s were under eval(…) attack and going to some junk URLs..
after i finished cleaning up my site’s, i installed WP Security Plugin and wow..
today i got around 60 emails, letting me know my site is under brute attack, failed login attempts are recorded, i didnt enabled brute force attack on these sites because i am using iwp (site management plugin) which failed to login after i enabled brute attack feature..
anyhow i just Enabled Cookie Based Brute Force Login Attack Feature and you know.. from last 40 minutes ( 0 ) attempt of login at site is detected.
Great to know you people done this great plugin for the WordPress Community.
The other features i wanted to see in this great plugin in future will be:
1. force all users to change passwords after specified number of days.
2. Not just renamed the admin username to something but to change ID of the user too (ID 1 for the admin should also to be changed to new ID)
3. Display name of the author tip is good but even changing Display name leaves URL of the author to be the username, a feature where users archive page accessed under his display name instead of username.
well these are currently in my mind… but let me tell you that you people already save a lot for me. Great Work.
Thank you for a very nice and FREE plugin!
I installed it on a MULTI-SITE today, and had an issue:
When i change the admin_user name (as recommended), the database table “site_meta” did not change the “site_admins” value.
Therefor I was locked out from the Site-admin Dashboard.
After trying almost everything else , I finally discovered the issue and changed the value manually.
Now it works perfectly.
See if the plugin has that bug, or if it was me who messed up while messing around?
Thanks again! 🙂
@Tony, I did a test but didn’t see the issue. What version of the security and the affiliate plugin are you using?
I see a problem with the Affiliate plugin
When the Enable 5G Firewall Protection is on
It’s stopping people from signing up.
Getting a 403
Thanks Tips and Tricks for the terrific plug in and the awesome documentation!
I have been so bugged by my site bogging down inexplicably. Now, not only do I know why that was happening, but I also have eliminated it!
And for free! You are very kind people!
Cheers, Pam
Hi Barney, When you say “new” are you referring to the backup that it creates? It would be helpful to know what action is causing the server to throw the 500 error. Your server log will have more details on why this error was thrown. Can you try to find out the reason by looking at your server log?
First, thank you for creating this plug-in. I love it and appreciate your generosity in making it free. I am now having an issue when I try to add IP address to the Blacklist manager. Every time I do this, it creates a new .htacess file that causes a 500 errot on the site. I have to rename the plugin and htacess file to be able to login. A new basic htacess gets created, but it is lacking the features you put in with the plugin.
Thanks, again!