This is a duplicate of my 5 star review on the WordPress Security Plugin page.
The plugin in question.
Security Dashboard | Deactivate | Re-Install
|Managed by Easy Updates Manager.|
Here are some screen shots of the plunging IP and the Roving Bot figures.
The first is “Limit Login Attempts Reloaded“, with the Zero aspect of it being pretty damned good in my humble opinion: especially being as the Plugin has been reporting at least 50 lockouts per day for the last week.
My second picture shows the Control Panel of the WordPress Security Plugin page, and the plunging graph of the Bot attacks speaks volumes: click the image to get a larger picture.
My duplicate review begins here, ..
OK, from seeing at least 50 plus lockouts a day to none in 6 hours: is pretty damned good, and it’s all due to this Plugin.
To originally combat the Hacker Bots that I was seeing in the “Limit Login Attempts Reloaded” logs, I ran a hapless plugin that changed your wp-login.php filename, and to a degree, (and for a while), it worked: then the MERD literally hit the fan, because the missing wp-login file was like a red rag to a bull to these mindless Bots.
From 10 Bots a day being locked out, it then went up to over 80 on some days.
Looking at the Apache Logs showed me that they were simply circumventing the renaming plugins efforts, by getting WordPress itself to resolve my new hidden login file.
It was almost like a sport to these foreign Bots, and they were foreign: mainly China Russia, and — Sweden and Poland of all places.
I had a PHP Log file plugin installed showing me the PHP error codes that the site was producing, any and all [[submit]] buttons were targets with the GETs and POSTs becoming more and more frenetic, as were any and all long WordPress page links: the resulting quick fired mess seemed to halt the server, with the next fast fired request showing the hidden login file.
Something that the Firefox browser does as well btw.
I think that it really was a sport, because the login names being used were complete nonsense, as were the weird passwords being presented. In the end, I limited the Hackers to one failed attempt with their IP being blocked for 48 hours, but it still didn’t stop them from hammering my sites login in their hordes.
So I started searching for a solution (out of the WordPress Box), and came across Shield Security, the free version does deter the Bots to a degree, and does indeed keep a few at bay, but it’s not until you pay for a subscription and get the Pro version, that you then really see a difference.
Especially after employing the paid options that turn on:-
Probing Bots, and
Bot Behaviors, ..
With all of them ON and Immediately Block, or at least using the double offence counter, then the Bots aren’t even getting a chance to get near my site, especially the empty minded probing Botties, the (follow me tick box) is a simply wonderful Bot trap btw.
From 50 lockouts to ZERO, and in one day: the failing Bot drop-off graphs and the IP lockouts prove that the Hackers aren’t even getting near my login core files anymore.
I have to say, that it was a most amazing feeling of finally being back in control again.
1.) The dashboard is very slow to refresh: (very!)
2.) It’s as complicated as hell to navigate, with a bewildering array of options.
2a.) But just focus on the (IP Blocking menu) and then the (Login Bots) sub menus if excess hackers are trying to get in, and is your main issue.
3.) Not sure if this is a con or a plus, but you have to get a [V2] reCaptcha license from Google, as [V3] (Doesn’t work? Isn’t supported?) Dunno!
** I already have [V3], and applying for another one was kinda surreal, but Google granted me another one no worries, and after copying the two strings into the Plugin input boxes — I now had a [I’m Human] tick box on my login form: I just hope that the rest of the Plugins that do use [V3] don’t kick off.
4.) The subscription is yearly, but at 30:00 (it’s not that expensive), nevertheless: it’s a subscription, and they bug me!
1.) You can try out the Pro version for free.
2.) Without installing another Plugin, you can rename your login file from wp-login.php to whatever, thusly thwarting the hackers even further.
** But as noted above, doing this seems to make the roving Bots even more feral in nature, more aggressive once a hidden login 404 200 result is found.
2a.) Note of worth: the 404 missing file login messages sometimes aren’t even shown by the WordPress core 404 page, but are presented as a server side-error: which to my way of thinking is amazing, and btw — it’s only the missing login file that does it.
Epilogue: So, .. apart from 30:00 a year, then what do you have to lose? Well for a start those annoying pesky Hackers, this plugin really does kick them to touch. From that undeniable fact of free Bot space hanging in the air, then I have to say that I can heartily recommend this plugin, even though I do have to begrudgingly pay the yearly subscription costs that come with it, .. (But it is worth it.)