Thanks so much for this plugin. Like many users, one of the problems I have with brute force attacks is the server load is killing my server. Glancing through BruteProtect's code, I can see that it works by hooking into
wp_login_failed. The problem with this approach is that a decent chunk of the WordPress framework is already loaded by that point, and it would be nice to do any checking as early as possible, and there are several possible options you have for doing that at an earlier point.
The earliest would be by just adding an
IF statement in
bruteprotect.php, and not using actions. For example, you could check for the
$pagenow variable or look at the
$_SERVER variable. If
wp-login.php was being called, you could then run
brute_check_loginability. The only code you need to add is:
if (isset($pagenow) && $pagenow == 'wp-login.php') brute_check_loginability();
On my test server, adding this to the code reduces the length of time the PHP process runs for from an average of 166.1ms to just 84.9ms (assuming a cached block). If you're being hit every few seconds, as mine is, that makes quite a difference to server load. As it stands, the plugin makes almost no difference to server load (unless the bot is intelligent enough to stop trying when it gets a 403 error, which judging by my server log, most aren't).
PS - I noticed two bugs:
- You're missing a closing PHP tag in index.php.
- Your local IP check ought to have IPv6 compatability, and therefore check for '::1' in addition to '127.0.0.1'. It would also be very slightly more efficient to check for this IP before doing get_site_transient(), though server load on localhost is never likely to be an issue.