Support » Plugin: BulletProof Security » IP ban for login brute force attempts

  • Resolved Daedalon


    Hi, thanks for the great plugin again. Still using it and always more happily as you keep on improving things.

    Could it be possible to have a rule in BPS so that for example any IP that performs, say, 100 unsuccessful login attempts within 24 hours, doesn’t get to access the login page within 7 days?


    Some of our sites get constantly hammered with login attempts. These may happen hundreds of times a day from the same IP and in some cases to all user accounts that can be guessed to exist based on site content. As a result WordPress temporarily locks those user accounts and sends them an email. To our users it seems like there is something wrong with our site when they get a bunch of emails on some days telling theil account is locked. Furthermore, the bots are patient and may be able to guess some passwords despite the temporary lockings.

    We’ve added those IPs to .htaccess Deny rule when we come across these, but as this is a manual process it means that many emails accounts have already been locked and users emailed. The issue resurfaces every few months from a new set of IPs, sometimes only one.

    Because an .htaccess Deny list could block the site admin out due to multiple testing logins, it might be best to disable the normal login only for these bots, and allow removing the lock by a link emailed to the admin account.

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author AITpro


    Could it be possible to have a rule in BPS so that for example any IP that performs, say, 100 unsuccessful login attempts within 24 hours, doesn’t get to access the login page within 7 days?

    Why doing the above would probably not take care of the problem. Basically what we have discovered is blocking or blacklisting by IP address is not really effective and very time consuming and if automated would create a problem for a website:

    What works is a CAPTCHA based plugin to stop automated bot attacks. BPS Pro has JTC Anti-Spam / Anti-Hacker, which is 100% effective at stopping this silly stuff. There are free plugins available that appear to work quite well. Do some research and you will find a few that look like they really work. And no I cannot recommend any of them. 😉

    Thanks for the suggestion. Not sure if I understood the suggestion correctly: to add a CAPTCHA for regular login? We won’t be doing that, it makes logging in daily a tedious task.

    What we do want is an automatic detection of a hammering and then an automatic response to that. We get hammered from one or a few IPs at a time, for several days.

    My request would resolve that perfectly: an automation to detect hammering and block those IPs from attempting login for the next few days.

    Plugin Author AITpro


    Actually there is a feature being developed that deals with “throttling”. It works by temporarily blocking IP addresses that are making excessive amounts of requests in X amount of time. Once the excessive requests/attacks end then the ip address is flushed/deleted since keeping these ip addresses permanently would cripple a website’s performance. ETA is unknown at this time.

    That sounds like a great step to this direction. Although we’re currently primarily interested in throttling failed login attempts, we’ll be happy to see a general throttling in the future as well. Thanks for your work on this.

    Plugin Author AITpro


    Thread Start Date: 12-5-2014
    Thread Resolved/Current Date: 12-6-2014
    Comments: A task has been scheduled and attached to “Throttler” to look into this further as a possible incorporated feature.

    Sorry don’t mean to hijack, but i know the normal recaptcha was a pain logging in, but this one may help you for now, the new nocaptcha
    Hope you don’t mind just thought it may be useful until BPS release something much better 😉

    Thanks for the tip, mrppp. Found another one that might do the trick without adding anything to the UI, but haven’t tested it properly yet:

    @ait: Noticed that our current anti-brute-force protection comes from the Theme My Login plugin. It has the setting “After [number] failed login attempts within [number] [minutes/hours/days], lockout the account for [number] [minutes/hours/days].

    What we’re looking for is the same but per IP instead of the account.

    Plugin Author AITpro


    Yep we are still trying to figure out the best way to do anything with IP addresses. In one of our dev versions of BPS we tested blocking an IP address permanently after X number of login attempts. That was simple to do of course and then the hackerbot switched to over 100,000 IP addresses in a 24 hour period so then we had 100,000 lines of htaccess code. The site failed completely around 300,000 ip addresses – would no longer load or do anything. Anyway you get the general idea – we won’t release something that will cripple folks websites – I’m sure they would not be very happy about that and the hackerbots (pesky gnats) would seem like a nice alternative to a crippled website. Still in R&D.

    Plugin Author AITpro


    I assume you were referring to something automated vs something manual? You can manually block a human using a single ip address individually very simply and easily, but if you are up against a botnet or automated hackerbots then they are designed to automatically switch to another ip address and they typically have 100,000’s or 1,000,000’s of ip addresses they can use.

    The flip side is doing something using a finite IP address – allow only your ip address instead of trying to block several million ip addresses. Of course that means that only you can login to your website.

    Protect Login Page from Brute Force Login Attacks

    Thanks for the update. Yes, we’re currently doing the IP blocking manually and are looking for an automatic solution for temporary blocking. Perhaps based on disallowing access to wp-login instead of complete IP ban.

    Our sites have had perhaps two dozen IPs this year attempting this. Naturally it’d still be great if the solution doesn’t introduce an unwarranted DDoS vector, so I appreciate your efforts 🙂

    In case you’d see the .htaccess Deny IP method as the most feasible, it could be possible to limit it to, say, 100 most recent IPs – at least in the free version.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘IP ban for login brute force attempts’ is closed to new replies.