Yeah, questions like this are perhaps too broad or off-topic for this Wordfence specific forum. But on the other hand, it doesn’t hurt to ask.
Sure, there are whole buildings full of thousands of humans in Ukraine, India, Russia etc. who are tasked with spamming and breaking into websites. They make a joke of captcha (which they probably laugh about as they’re standing around the water cooler when they are unchained from their spam-slave desks for their weekly 5 minute break), which in my opinion is an example of the worst in “security” in that captcha is easily bypassed by criminals, but inconvenient for legit users.
So, as we’re talking how to defend WordPress from brute force login attacks, using Wordfence… First of course is to simply set your user names and passwords to things that can not be guessed or cracked. After that, set your login restrictions in Wordfence to strict settings, two tries, 12 hour lockout, etc. If you get some repeating offenders, add their bogus user name attempts to the Wordfence “Immediately block the IP of users who try to sign in as these usernames.” And after all that, always use login URL obfuscation, plugin WPS Hide Login works for many of us.
In our case, we’ve found that creating “private” WordPress user accounts that are specifically for admin is another ploy that seems to help. These accounts have no created content and for example are not listed on our “Authors” page. These are the only accounts we have with full admin creds.
I’d also be remiss not to mention that country blocking can have a huge beneficial effect on site defense as well as simply reducing your bandwidth.
The above is multi-layered and redundant, but in our view that’s good. For example, what if Wordfence has to be uninstalled? Having correctly configured user names and passwords, along with obfuscation plugin, those would become first-line defenses.
Which leads me to think, do I really want one security plugin that does it all? And, shouldn’t more of this stuff just be built into WordPress?
MTN
