There’s no shortage of news on WordPress brute-force hacking attempts.

Out-of-the-box, WordPress places no limits on the login page.

This makes WordPress vulnerable to brute force attacks.

So how can you prevent brute-force attacks against your WordPress website?

It’s easy…

WordPress Login Cool Down – Blocks ALL Brute Force Login Attacks

There are numerous plugins that try to prevent hacking your site.

Some are complicated and bloated, while others are just complicated.

Our approach to WordPress security uses simple, highly effective techniques that don’t require any visitor analysis.

Our method places some hard limits on the WordPress login itself, without impacting the user experience.

One such technique is a WordPress Login Cool Down.

Think about it, how often does anybody login into your WordPress site?  Not very often… so the chances of 2 people attempting to login at the same time are very slim.

The login cool down feature is based on this fact, as follows:

  1. When someone makes a login attempt to WordPress we start a countdown timer, let’s say 30 seconds.
  2. Then, when anyone else attempts to login to the site, before checking user login credentials we check the timer.
  3. If this login attempt falls within the cool down period (30 seconds) we immediately exit the login authentication process.

In this way, we effectively restrict WordPress user logins to once every 30 seconds.

No more brute force attacks!

Can you explain exactly how WordPress Login Cool Down prevents brute-force attacks?

Sure- Brute force attacks work by trying to log into WordPress 10s, 100s, 1000s of times a second until eventually the correct username + password combination is discovered.

If this doesn’t overwhelm a web server, the hacker can keep guessing your login details for hours.

Not so with a login cool down!

Imagine you limit the login cool down period to just only 1 second.

You immediately limit login attacks from 100s/second to 1/s.

That, believe it or not, is probably enough to prevent almost any brute force attack as they rely on 100,000s of attempts over a sustained period of time.

But to be extra safe, you’ll want to set it to something like 30 seconds minimum.

Does the plugin “block” or “ban” IP addresses?

No.

There are 2 main problems with blocking IPs:

  • Processing and list maintenance – you can’t maintain that data across all your sites, and each login attempt puts further load on your databases while it looks up IPs.
  • IP ban lists don’t actually work in certain scenarios. Why? Because if your site is being hammered from a bot-net (a network of hundreds/thousands of computers) they can attack your site by sending the login requests from different IP addresses. In this case, IP ban lists are completely useless!

Login Cool Down is effective because you simply can’t brute force attack the site no matter where the traffic is coming from.

How to get WordPress Login Cool Down?

This feature was designed and written by us and integrated into our Shield Security plugin that is freely downloaded from WordPress.org.

This plugin also features other security and firewall functions to protect your site:

Combing these features adds unsurpassed protection to your WordPress sites!