This plugin blocks distributed botnet brute-force attacks on your WordPress installation.
After the recent global distributed botnet attack on WordPress installations that took down servers and broke into admin accounts, I thought I'd write a plugin to prevent it happening again.
Distributed botnet attacks can come from multiple IP addresses and locations at the same time, so conventional IP-based lockouts are not effective (e.g. those found in Wordfence and other WordPress security plugins).
For example, if 1,000 different computers (with unique IP addresses) are trying to brute-force your admin password and you lock out each IP address after 5 incorrect attempts then you have still allowed 5,000 attempts. My plugin essentially ignores the different IP addresses and locks out all admin login attempts in a configurable way - so if you have it set to 5 failed attempts (default) then those 1,000 different computers will only have a total between them of 5 attempts.
You can select how many login failures causes the lockout, how much time to allow between failures, how long to block logins for and also you can input a whitelisted IP address (or multiple addresses separated with commas or spaces) which can bypass the lockdown and always log in - so you can still always get into your site even in the middle of an attack. Version 1.1 adds support for partial IP address matching for those with dynamic IP addresses.
Requires: 3.0.0 or higher
Compatible up to: 3.7.1
Last Updated: 2013-12-10
1 of 2 support threads in the last two months have been resolved.
Got something to say? Need help?