This plugin blocks distributed botnet brute-force attacks on your WordPress installation.
Well I have been using this for a while and since I didn't have any issues I could only assume it was working. I was sadly and poorly mistaken. Today my site was under such a heavy brute force attack that my hosting company shut down my site to protect their own servers from crashing. They said I had over 700,000 login attempts in less than an hour. This plugin DOES NOT WORK! DO NOT RELY ON IT!
This plugin seems to be working fine however, there is no documentation within the plugin's settings page. Zero, zilch, nadda. Three of the four settings available *are* self-explanatory, but the last setting is for a whitelist of IP's.
I had to come here to the plugin's page, where I was able to glean some information from throughout the page. The specifics of constructing the whitelist is unfortunately still undocumented.
In one area of the page it is indicated that "you can input a whitelisted IP address (or multiple addresses separated with commas or spaces)".
In another area of the page it says "Partial IP address matching for dynamically-allocated IP addresses".
That is great, but while I was able to get some information about how to use the whitelist, the information that was available (which should have been included on the plugins' setting page) is still ambiguous.
In what manner are we to represent partial IP address matching?
- 123.456.789.* or 123.456.789.000 or 123.456.789. or 123.456.*.* or 123.456.0.0 or in some other manner that I did not use as an example above? We don't know what calls the plugin is looking for to recognize the partial IP's, and there is no documentation indicating how to properly enter the whitelist. Because of this, I am uncertain if I am using the plugin correctly.
My request is this: Please add this information to the settings page of the plugin. There is more that enough room there.
This plugin works great, but could use a longer lockout duration. WordFence does the same thing and locks out an ip up to 60 days. It also has the option to immediately lock out a login with a unknown user name. The one thing it does not have is a ip whitelist. Thats a great feature. I'm running both of these together as a test, will see which one works best.
Perfect Plugin - it blocks Botnets. And other things too. I have a Private Galleries area on my site and once the "blocker" is activated no-one can sign in to these Private Galleries either?
I'm using this plugin with Wordfence without apparent conflict.
Also using the whitelist feature without any problems. I'm on (3) dynamic IP address ranges.
Five stars even though I'd also like to extend the 5 hour blocking limit to 24 or more.
Thank you for this. My host recommended this plugin to me after my server was brought to its knees for the billionth time. I was using the limit-login-attempts plugin, and it worked for a while, until the botnet adapted and started using hundreds of a different IPS only a few times instead of a few IPS many times.
My only concern is that because I work remotely (from coffee shops, etc.) often, if I get locked out of my site when I am not on a whitelisted IP it's kind of a problem. I hope that captcha support is coming soon.
I would like to use this in Multisite and be able to control the settings for all blogs from the main admin dashboard. I do not need individual blog admins to control this. I would be willing to donate to get this working in Multisite. I need this quickly since I keep getting attacked.
I installed this plugin on several of my most "active" sites. It was as if millions of voices suddenly cried out in terror, and were suddenly silenced. In a good way.
There are some situations where I cannot use .htaccess, and this plugin is especially helpful there. I will be interested to try any human-only bypass options you might include in the future (captcha, math problem)
So far, working like a charm. Seems to be keeping the bots (and everyone else) at bay.
Leaves a table and settings in your database after deinstallation. Uses the init-Hook to perform on every page call :-(
Doesn't care about the real admin (customer!) knocking at the door while or shortly after an attack has happend.
So please put an .htaccess in your wp-admin folder instead and use HTTP AUTH with a diffent username and password. This is by far the most effective way to prevent admin area hacking in general as well as distributed attacks and probing usually published login names (yes they're published, even if not visible - look into the HTML).
Hope this helps!
It's time to replace outdated IP based login limiters with this one. Kudos to the author.
One side note, on all three sites I've installed it on, upon activation I received an error: "The plugin does not have a valid header."
However it was possible to activate it from the main list of installed plugins.
You must log in to submit a review. You can also log in or register using the form near the top of this page.