This plugin blocks distributed botnet brute-force attacks on your WordPress installation.
This plugin works great, but could use a longer lockout duration. WordFence does the same thing and locks out an ip up to 60 days. It also has the option to immediately lock out a login with a unknown user name. The one thing it does not have is a ip whitelist. Thats a great feature. I'm running both of these together as a test, will see which one works best.
Perfect Plugin - it blocks Botnets. And other things too. I have a Private Galleries area on my site and once the "blocker" is activated no-one can sign in to these Private Galleries either?
I'm using this plugin with Wordfence without apparent conflict.
Also using the whitelist feature without any problems. I'm on (3) dynamic IP address ranges.
Five stars even though I'd also like to extend the 5 hour blocking limit to 24 or more.
Thank you for this. My host recommended this plugin to me after my server was brought to its knees for the billionth time. I was using the limit-login-attempts plugin, and it worked for a while, until the botnet adapted and started using hundreds of a different IPS only a few times instead of a few IPS many times.
My only concern is that because I work remotely (from coffee shops, etc.) often, if I get locked out of my site when I am not on a whitelisted IP it's kind of a problem. I hope that captcha support is coming soon.
I would like to use this in Multisite and be able to control the settings for all blogs from the main admin dashboard. I do not need individual blog admins to control this. I would be willing to donate to get this working in Multisite. I need this quickly since I keep getting attacked.
I installed this plugin on several of my most "active" sites. It was as if millions of voices suddenly cried out in terror, and were suddenly silenced. In a good way.
There are some situations where I cannot use .htaccess, and this plugin is especially helpful there. I will be interested to try any human-only bypass options you might include in the future (captcha, math problem)
So far, working like a charm. Seems to be keeping the bots (and everyone else) at bay.
Leaves a table and settings in your database after deinstallation. Uses the init-Hook to perform on every page call :-(
Doesn't care about the real admin (customer!) knocking at the door while or shortly after an attack has happend.
So please put an .htaccess in your wp-admin folder instead and use HTTP AUTH with a diffent username and password. This is by far the most effective way to prevent admin area hacking in general as well as distributed attacks and probing usually published login names (yes they're published, even if not visible - look into the HTML).
Hope this helps!
It's time to replace outdated IP based login limiters with this one. Kudos to the author.
One side note, on all three sites I've installed it on, upon activation I received an error: "The plugin does not have a valid header."
However it was possible to activate it from the main list of installed plugins.
I think this is the best solution in case of attacks. But can I use this plugin and Better WP Security plugin too?
If I turn off lockout feature for Better WP can I safely use this plugin instead?
We have monitors that check our web and MySQL servers every 5 minutes so we have been well aware when DDoS attacks have been happening to our servers. We tried other lockout plugins, but they are completely useless against DDoS attacks. They seemed to like 2 of the 10 WordPress sites I manage...and WordPress versions doesn't seem to have any influence on what sites get hit.
I was actually able to test this plugin during an actual DDoS attack. Our web and MySQL servers were spiked until this plugin activated. Once activated, both servers returned to normal.
This plugin does exactly what it says. It locks your site completely down to where absolutely no one can login during an attack unless they have a static IP address and that IP address is listed in the IP white list.
It's a bit extreme, but extreme attacks require extreme security measures and I'd rather have to tell a customer to get a static IP address (for security reasons) than have to explain to them why their site is down. I set the lockout time to its maximum setting of 5 hours and the time between invalid attempts to 1 minute. I want things locked down ASAP when these %*#&#'s start hitting our servers.
You must log in to submit a review. You can also log in or register using the form near the top of this page.