=== WordPress Brute Force Protection - Stop Brute Force Attacks === Contributors: guardgiant Tags: brute force protection, stop user enumeration, login security, brute force, stop brute force attacks, brute force login protection Requires at least: 3.3 Tested up to: 5.6 Stable tag: 2.2.2 Requires PHP: 5.4 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html The only plugin with 100% brute force protection that doesn't lock out genuine users. == Description == = Security Features = * **Brute force protection** * **Stop brute force attacks to hack passwords** * **Stop brute force attacks to find WordPress accounts** * **Limit login attempts** * **Login security for login form** * **Login security for WordPress backend** * **Login activity log** * **Brute force protection against distributed attacks** * **Brute force login protection** The only plugin with 100% brute force protection that doesn't lock out genuine users. = Brute Force Protection = This plugin implements an approach used by large websites such as Facebook, Google etc. When a genuine user makes a successful login to their account using their mobile phone, tablet, or computer GuardGiant starts treating their device as Trusted. * Failed login attempts from trusted devices are directed towards 'Lost Password' forms rather than being subject to account lockouts or additional counter measures. * Users receive an alert when anyone logs into their account from an unrecognized device or browser. = Limit Login Attempts = GuardGiant uses a range of strong counter-measures to limit failed login attempts from unrecognized devices. The default behaviour is: * After 3 failed login attempts from the same unrecognized device, a Google ReCaptcha field is added to the login page. ReCaptcha is a strong counter-measure that is very hard for an automated process to solve. * After 10 failed login attempts a temporary block of 2 minutes is applied to the device/IP address. No login attempts can be made during this time. * Each further failed login attempt increases the block time by another minute. This slows down attacks to the point where they quickly become unviable. All behavior is fully customizable to achieve the level of brute force protection that you require. = Login Activity Log = A fully featured activity log gives you visibility to all login attempts on your site. * Provides geographic location, device type, IP address and more for each login attempt. * Filter login attempts by Trusted or Unrecognized devices. * Search by IP address or username. * Filter by successful or failed attempts. * Easy to display successful logins from unrecognized devices that could indicate a hacked account. [View 3 things you should be tracking in your activity log.](https://www.guardgiant.com/wordpress-login-activity-3-things-you-should-be-tracking/ "View 3 things you should be tracking in your activity log.") This activity log can form an essential part of your brute force login protection plan. GDPR compliant. = Other Security Improvements = GuardGiant implements numerous other security improvements recommended by the Open Web Application Security Project® (OWASP) to keep your site safe: * Obfuscates login errors to stop user enumeration. * Option to disable XMLRPC. * Refuse guest access to certain API calls * And much, much more. This security plugin is exceptionally easy to use no matter what your level of technical expertise. The default settings are highly optimized, designed to prevent brute force attacks whilst not disturbing genuine users from logging in. Advanced users can fully customize the behavior of this plugin to suit their own environment. == Installation == How to install the GuardGiant brute force protection plugin **Using the WordPress dashboard** * Navigate to 'Plugins' in the WordPress dashboard. * Click on 'Add new' to add a new plugin. * Search for ‘guardgiant brute force’ * Click ‘Install Now’ * Click the 'Activate' link when your download has completed. **Uploading files via the WordPress Dashboard** First, download the GuardGiant brute force prevention plugin file to your computer. * Navigate to 'Plugins' in the WordPress dashboard. * Click on 'Add new' to add a new plugin. * Click on 'Upload Plugin' at the top of the page. * Click 'Choose File' * Select guardgiant.zip from your computer * Click ‘Install Now’ * Click the 'Activate' link when your download has completed. == Frequently Asked Questions == = Is this plugin compatible with Cloudflare or other CDNs = Yes. Load balancers and CDNs are known as reverse proxies. Due to the nature of these services, all visits to your website are logged with the IP address of the proxy rather than the visitor’s actual IP address. To remedy this, the visitor's IP address is provided in a 'header field' which GuardGiant will pick up and use. = What is a brute force attack = The most common threat that WordPress site owners face is a password guessing attack known as a brute force attack. A brute force attack is where an attacker uses a brute force tool (or script) to discover your password by systematically trying every possible combination of letters, numbers, and symbols until the correct password is found. A brute force attack will always work eventually, but the problem for the brute force attacker is that it may take many years to do it. Brute force prevention techniques focus on slowing down these attacks to the point where they become unviable. Using long and complex passwords (that are not dictionary words) is a good brute force attack prevention method to start with. This greatly increases the time an attacker will need and thus improves your overall login security. A common way to stop brute force attacks is to lock out the WordPress account after a defined number of failed authorization attempts (there are various brute force plugins that do this). The problem with this approach is that the site administrator ends up with unhappy users who have been locked out, often needing manual intervention to regain access. This is not sustainable or desirable for sites of any size. The modern approach to brute force prevention is to track the devices that genuine users use to log in, ensuring they are always treated kindly if they forget their password. Unrecognized devices face a progressive but temporary timed lockout. At no point are accounts permanently locked out. = Why am I getting attacked = Hackers want to gain access to your website for various reasons: * Place backlinks from your site to improve their site’s Pagerank. * Redirect your visitors to malicious sites or use your website to distribute spam and viruses. * Use your server as part of a botnet to launch DDOS attacks. * Use the same hacked account/password on other sites. * Collect personal information that they may be able to sell on other sites. * Ransomware attempt. It is not uncommon for popular WordPress websites to receive hundreds or even thousands of attacks every day. These attacks can seriously damage your reputation without some form of login lockdown or brute force protection. By using the guardgiant login security plugin, these bruteforce attacks will be met with extremely strong counter-measures to ensure the security of your WordPress website. = What level of expertize do I need to configure this plugin = This plugin is exceptionally easy to use no matter what your level of technical experience. The default settings are highly optimized to limit login attempts and prevent brute force attacks, whilst not disturbing genuine users from logging in. For advanced users, you can fully customize the behavior of the plugin to ensure it works best for your application. = Stop user enumeration = User enumeration is the precursor to a brute force attack. A hacker will attempt to find a list of valid usernames on your website, which are then used as the basis of the attack itself. Error messages must be obfuscated to stop user enumeration, making sure that the server does not disclose whether an account is valid. GuardGiant implements best practice methods to stop user enumeration. = How to view login activity on your website = The activity log provides relevant information from the past 30 days. You can filter activity log entries by: 1. Time period for all log entries you wish to see. 2. Whether the users device was trusted or not. 3. The type of login security event you wish to see: * Successful logins to your website. * Failed logins to your website. * All authorization attempts. 4. Search log entries by IP address. 5. Search log entries by username. The time and date of each security event is shown along with username, IP address, IP location, Device type and outcome/message. = Brute force attack patterns = Periodic monitoring of your activity log can help you stop brute force attacks and improve login security. Patterns that indicate a brute force attack or some other account abuse include: * User enumeration attempts (attempting to harvest usernames) * Failed login attempts using alphabetically sequential usernames or passwords * Multiple different usernames being used by the same IP address * Logins for a single account coming from many different IP addresses * Failed logins at a specific period e.g. every 5 minutes = What are the different types of brute force attack = To ensure login security and achive good brute force protection it is helpful to understand the different types of brute force attack. The simplest and most common form of brute force attack is called an exhaustive key search, where a brute force attacker tries every possible combination of characters until the correct password is found. Exhaustive key searches work against any kind of cryptography, but they can take a very, very long time. A frequently used brute force attack method called a dictionary attack takes advantage of the fact that users often choose dictionary words in their passwords (mainly becuase they are easier to remember). Lists of the most common words that are used in passwords, can easily be found on the internet. A dictionary attack is where the attacker tries every combination of these words. Brute force protection against dictionary attacks can be enhanced by requiring users to choose non-dictionary words when selecting a password. Login security protocols sometimes stipulate a requirement to have special characters, upper and lower case to ensure dictionary words are not used. = Can't I just blacklist IP addresses = A legacy approach to brute force protection involved simply blocking IP addresses by way of a 'blacklist'. When a brute force attack reached a certain number of attempts, the IP was added to a blacklist that was then banned indefinitely. There are numerous reasons why organizations do not favor this approach: * The IP address may be a proxy server or VPN. By blocking access to the IP you may be impacting thousands of users. * Most IP addresses used are dynamically assigned. You may be blocking an attacker right now, but in a few hours you will likely be blocking a genuine user. * A site administrator will likely be contacted by unhappy users that have been blocked. Unblocking IP addresses will become a tedious chore. The modern approach to brute force protection using trusted devices and temporary lockouts achieves a higher level of login security without the downsides of this legacy approach. = How to access the activity log = * First go to your WordPress Dashboard. Choose "guardgiant" in the left hand menu. * Select the activity Log. = How to change the settings for brute force protection = Login to the WordPress dashboard and select GuardGiant from the left hand menu. The **Prevent Brute Force Attacks** tab is shown. You can choose to: * Lockout user accounts for a specified time period. * Option to never lockout accounts when a user is using a trusted device. * Option to send users a security alert when there is a successful login from an unrecognized device. For bruteforce attacks from specific IP addresses you can: * Display a captcha after a specified number of failed login attempts. * Block the IP address after a certain number of failed attempts (for a specified number of minutes). * Option for a progressive block where the time increases with each failed attempt. = Should I disable XMLRPC = The XML-RPC (XML Remote Procedure Call) functionality in WordPress has become a login security backdoor for hackers trying to exploit a WordPress installation. It allows your site to be updated with a single command triggered remotely. It is recommended to disable this feature to reduce the attack surface of your site and thus improve your login security. = Should I enable google reCaptcha = Google reCaptcha provides a barrier that helps to stop brute force attacks. However, the user experience is somewhat worsened by asking to select traffic lights every time they log in. The beauty of this login security plugin is that google reCaptcha is only to deployed to specific IP addresses and only after a user defined number of failed login attempts. This is another way that GuardGiant implements brute force protection without disturbing genuine users. = Why do I need to stop user enumeration = It is important to stop user enumeration because the best levels of brute force protection are achieved by defending against all elements of an attack. To stop user enumeration GuardGiant obfuscates login error messages and disables some API calls to ensure valid usernames are not disclosed to an attacker. = Brute force protection phases = The initial phase, where a brute force attacker will run a user enumeration script to harvest usernames from your site is a critical point where intervention can render the brute force attack impossible. If you can stop user enumeration (harvesting usernames) the brute force attack will likely fail immediately. To stop user enumeration GuardGiant adds a requirement to be logged in before accessing some WordPress API calls. = Can I 'whitelist' certain IP addresses = Yes, GuardGiant supports IP address whitelists. For instance, you can whitelist the IP address of your office to ensure you always have access. Caution is urged when using whitelists as they can provide an attack vector for brute force hackers and thus weaken your login security. = Can I 'whitelist' certain users = Yes, you can whitelist individual users so that their accounts are never locked out. Caution is urged when using whitelists as they can provide an attack vector for brute force hackers and thus weaken your login security. = Will obfuscating error messages improve brute force protection = By default, WordPress login error messages indicate whether a valid username has been entered. Attackers can use this functionality to harvest a list of usernames that are then used as part of a brute force attack. Modern security implementations now recommend a generic 'incorrect username/password'. This security plugin implements obfuscation of login errors to improve your login security. = Why do I need to limit login attempts = By default, WordPress does not track or limit the number of failed login attempts that can be made. Without a security plugin or means to prevent brute force attacks, an attacker can try many thousands of login attempts in rapid succession to try to gain access. It is important to note that login security by way of the legacy approach of simply locking out users after a number of failed attempts is a poor solution that causes user frustration and can easily be exploited in a DDOS attack. This security plugin implements modern login security best practice by tracking the devices that users log on with to ensure real users are never impacted. = What is a trusted device = A trusted device is simply a device that a user has used in the past to successfully login. The device can be a smartphone, tablet or a computer. Brute force protection is improved with trusted devices because: * A user can be alerted when someone logs in to their account from a new device. * A hacker will always be treated as 'untrusted' and thus face stronger counter-measures. Login security using trusted devices is now widely adopted as it can prevent brute force attacks without impacting the user experience. = How often do sites get attacked = Once you have visibility to login security on your site, the importance of brute force protection will become more urgent. Brute force attacks have plagued the internet for years but attacks are becoming more frequent and stronger. According to the Data Breach Investigations Report 2020, 86% of brute force attacks are financially motivated and 22% of breaches are related to site misconfigurations. Most WordPress sites suffer multiple attacks every day. Without some form of brute force protection your site will likely become impacted. == Screenshots == 1. Recent login activity in the security log showing **brute force login protection**. 2. Login screen when reCaptcha has been deployed. WordPress **login brute force protection**. 3. New device sign in email. **Brute force protection** by notifying the user that their account could be compromised. 4. Main guard giant settings page. **login security**. == Changelog == = 2.2.2 = * Performance improvements. = 2.2.1 = * Added help tabs to settings pages. = 2.2.0 = * Added the ability to disable XMLRPC to reduce attack vectors. * Performance improvements. = 2.1.1 = * Improvements to the IP address geolocation feature. = 2.1.0 = * Initial release to WordPress.