May 23, 2014 by Paul G. | Migrated, Shield Security

Part 4: Login Protection – Shield WordPress Security Plugin

Shield Image

Shield has some of the most effective WordPress login-security protection available.

It blocks all brute force WordPress login attempts using simple, non-intrusive techniques; it also ensures that the identities of all logged-in users have been verified.

There is no other plugin available, either free or paid, that has login protection to this degree.

In this article I’ll explain how we do it, why it is works so well and the options you should enable.

What does the WordPress Login Guard feature protect against?

Broadly speaking, the WordPress Login Guard feature has 2 main components:

  • User Identity Verification – i.e. you are always who you say you are
  • Brute Force Login Protection – i.e. no more account hacking

We’ll outline each of these below with full details of the options available.

User Identity Verification with Multi-Factor User Authentication

As explained here, multi-factor authentication ensures that the user attempting a WordPress is verified as the legitimate user.  Shield primarily uses email as the basis for this verification.

It offers 3 methods of two-factor authentication which can be used together to form multi-factor authentication.

  • Email
  • Yubikey
  • U2F Login Authentication

Email-Based Two-Factor Authentication

Email – based 2FA is one of the best ways to secure account access – for any platform, WordPress included.

When verified by 2FA login code, every time a page loads the plugin will check the logged-in user against the location at the time of verification. This means that a verified user can use this 2FA method from 1 single location only.

For example, you can login with the same username using Firefox and Chrome on the same computer, but you will have to verify your identity twice, since the location isn’t the same.

When you enable this feature in Shield, you can either

  1. Enforce email-based 2FA on all users or specific roles; or
  2. allow any user to turn it on from their profile.
How to use email-based 2FA with Shield

Yubikey-Based Two-Factor Authentication

Yubikey is a hardware-based, two-factor authentication system. It provides a completely independent verification system that is not connected to either email addresses or user accounts of any kind.

They let you create one-time passwords (OTP) that are then verified against the Yubikey web service at the time of WordPress login.

We recommend Yubikeys as a highly effective, and cost-efficient authentication system, and have also implemented it for the iControlWP WordPress Management system.

Yubikey Unique Keys and WordPress Users

Before the Yubikey authentication can be used, you must create a Yubikey App and API key. Explanation on how to do that can be found here.

Once this is done, you can begin assigning WordPress username to the Yubikeys themselves. This done, as show in the screenshot, by comma-separating a WordPress username with the unique 12 digit Yubikey IDs.

Yubikey IDs are simply the first 12 digits of any Yubikey OTP, and you may assigned multiple Yubikey IDs to the same user simply by taking a new line and repeating the username with the alternative ID.

U2F Login Authentication

U2F (or Universal 2nd Factor) is an open standard for simplifying 2FA. You may already have a U2F login device, such as Yubikey, or Google Titan Security Key. If you don’t have one, we highly recommend getting at least 1 of them.

These are hardware devices that let you verify your login/identity using 2-factor authentication.

To allow users to register U2F devices to complete their login, simply go to the Login Guard module of the Shield plugin > Hardware 2FA and enable ‘Allow I2F’ feature.

How to allow users to register U2F devices to complete their login

Once you’ve done this, you’ll see a button in your WordPress user profile to register a new U2F device.

How to register your U2F device on your WordPress user profile

Click this button and the U2F registration process will begin.

There is more information on U2F here.

Note: U2F is a little more complex than other solutions but we’ve taken on the challenge of implementing U2F login for ShieldPRO. We’re tagging it as “experimental” so while you’ll be able to use it, you can’t have it as the only 2FA option on your user account (so you don’t get locked out).


Brute Force Hacking Protection

Our Approach To Brute Force Login Protection Explained

In the last few years there have been a number of reports of brute force login attacks against WordPress websites. This is because the WordPress platform is now so prevalent, that building a system to attack WordPress makes much more sense if more hacking success is desired.

The Shield plugin blocks and limits brute force login attempts using 4 separate and highly effective techniques:

  • two-factor authentication – there’s no way for a bot to know it’s successfully logged in if there are 2 authentication stages.
  • login cool-down system – probably the most powerful system for brute force login prevention. It works by completely blocking login to a site until a given number seconds have passed since the previous attempt.
  • Javascript bot-blocking (GASP) – uses Javascript on the login form to dynamically create a check-box that a user must click.

Except for two-factor authentication, you’ll find none of these approaches uses the database to store IP address lists for blocking. IP addresses don’t matter and should not be used as the foundation of a WordPress security policy.

Read that again, because you’re probably so conditioned to think of IP blocking etc. that you believe this without even thinking about it.

Furthermore, if your website is being attacked by a distributed (meaning thousands of IP addresses) system of bots, blocking login attempts based on IP address is utterly futile, and only adds load to your server because of all the database writing and look-ups.

With Shield development, we took a step back, thought about the nature of the most recent attacks on WordPress. We discovered that IP addresses are not a sound foundation upon which protection should be designed.

That said however, we do use the connecting address as the basis for identifying verified users. But this is completely different since their IP address isn’t used to block, but rather accept and match a user session to a verified identity.

There are 2 options available dedicated to preventing brute force hacking the login on your WordPress sites, and we recommend you enable all of them unless for whatever reason they interfere with how you use your site.

Option: WordPress Login Cool Down

This feature alone should be enough to block all brute force login attempts.

The value you decide on here represents the time, in seconds, that WordPress will be forced to wait before processing any other login attempt after the previous attempt.

WordPress Shield Security Brute Force Protection
Option: Login Cooldown

Without a cool-down feature, bots connecting from anywhere can try and authenticate with your site as much and as often as they can.  Let’s take an example…

Say a bot tries 10 times a second without overloading your server:

  • In 1 minute, that’s 600 attempts.
  • In 1 hour, that’s 36000 attempts.
  • In 1 day, that’s 864000.
  • It takes 1.15 days to make a million requests to your site at that rate.

Instead, if you put a minimum of 5 seconds between login attempts, it would take nearly 60 days to perform a million requests. Way better! And it gets better the longer you make your cool-down period.

And, it doesn’t use the database to store attempts and counts etc., or care about IP addresses, or anything like that. It’s very efficient!

Apart from the Shield’s Login Cool Down feature, there’s another powerful way to put a stop to bots and visitors that abuse your website and your hosting resources. It’s called Traffic Rate Limiting protection for WordPress. This is where you restrict the number of requests a single visitor can make against your site, within a certain period of time.

Option: Login GASP Protection

A few years back, a nice idea was crafted to help block spam-bots from automated posting of comments to a site. It was based on the simple principle that most spam bots don’t/can’t process Javascript.

It was coined the G.A.S.P. comment protection. We have adapted this feature and improved its resiliency against spambots and use this in our comments filtering feature.

But, we thought, why not add exactly the same protection to the WordPress login form? It was highly-effective with comments, why not with logins?

So we did.

WordPress Shield Security GASP Login Protection

When enabled, it will add a checkbox to the WordPress login form that requires users to click it.

WordPress Login Form With GASP Protection

This checkbox is created using Javascript, which means it’s easy for Shield to detect bots because they don’t have the checkbox checked. Simple, and highly effective!

Shield security offers High Grade Login Protection

As you can see from the explanation of these options, the Shield plugin offers extremely effective protection against WordPress login attacks, and provides tried and tested methods for verifying the identity of users active on the system.

We’ve chosen to take a fresh approach to solving WordPress brute force hacking attempts, rather than follow the herd and create a copy-cat security system that adds weight and load to your already burdened WordPress system.

We’re always open to feedback about new ways to improve our Login Protection and two-factor authentication options, so please leave a comment below if you have ideas or suggestions for us.

ShieldPRO Testimonials
@geotex's Gravatar @geotex

Great plugin, super support

I have the pro version installed on 2 sites. One has been continually under attack. thanks to this plugin, I have been able to see where they are coming from, as well as stop all attempts except one probably due to an old theme no longer supported by it’s author.…

@puntoman's Gravatar @puntoman

Excellent Plugin

Excellent. Thank you

@kstidham's Gravatar @kstidham

Shield delivers

We used several other security related plugins early on. Shield is perfect for us and our go to plugin for security and has been for 4 or 5 years. It does what it is intended to do and I can always find support from them or peers anytime I have…

@rayvenhaus's Gravatar @rayvenhaus

Love this software

What this software does can be overwhelming to the uninitiated, however, that being said, it is designed to guide you through the setup and use of the software and it just works. I can not recommend this highly enough.

Hey there good-lookin'! Do you like what you've read here? :)

If this cool feature is something you'd like, but you haven't gone PRO yet, click here to get started today. (no risk, with a 14-day satisfaction guarantee!)

You'll get all PRO features, including Malware Scanning, WP Config Protection, Plugin FileGuard, import/export, customer support, and so much more. Not only that, you'll get that warm, fuzzy feeling that comes from supporting our work and future development.

Follow Your Dreams (and go pro) →

Comments (5)

    Hi,

    how do you ensure to not lock out yourself with the Login Cool Down system while some bots are tampering the login page?

    Are you also protecting the xmlrpc.php in any way?

      There’s nothing you can do about that unfortunately if the bots are cracking away at your page. Most bots would get blocked by the automatic blacklist if they’re repeatedly hitting you with this.

      As to XML-RPC, we have a couple of options ranging from by-passing the login/user sessions systems to completely disabling it:
      https://www.icontrolwp.com/2015/10/automatically-block-brute-force-amplification-attacks-against-wordpress-xmlrpc/

    I am hitting “You must check that box to say you’re not a bot.”.

    However the check box is not present in the login screen.

      This will happen if you’re using custom login form that doesn’t honour/fire standard WordPress login hooks/filters.

    Hi, my blogs have been undergoing a series of heavy brute force attacks as what the host said. I have Wordfence and Shield installed. Would Shield clash with Wordfence? With the two installed, I am still experiencing very heavy attacks that kept bringing down the whole server over the past 1-2 weeks. And it happened again last night and the night before. It seemed to come very fast and furious. I was very puzzled as I have used Shield to change the default /wp-login.php page to /xxxx using Shield and yet I was still getting report from Wordfence of people trying to access it. Your post is enlightening … at least now I know an attacker doesn’t have to be at my site url/wp-login.php to login. Please kindly advice what I can do as I am at a lost here. Thank you.

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese