Web Hosting

Wordfence Alert: User Locked Out from Signing In

Access to the computer is denied. For some years I've used and recommended the Login Lockdown plugin.

It's designed to protect your WordPress website from brute force attacks by locking out anyone who makes more than a specified number of unsuccessful log in attempts over a given period of time.

However, Login Lockdown hasn't been updated in nearly 3 years, which implies that it's been abandoned by its author, so I recently went in search of a replacement.

And what I found has proved fantastic.

It's the Wordfence Security plugin, by Mark Maunder, and it's an entirely different animal to Login Lockdown.

In addition to an expanded range of login security functions, Wordfence also offers firewall protection and daily scans of your site covering:

  • Comments containing phishing or malware links
  • Comparisons of WordPress, plugin and theme files on your site against the versions in the repositories
  • Posts containing known malware URLs
  • Plugins and themes that are outdated
  • Unauthorised DNS changes
  • Backdoors, trojans and suspicious code in your site files

The firewall can be configured to block or throttle requests exceeding thresholds (number of requests per second or minute) that you can define, and it differentiates between Google crawlers, other crawlers and humans.

It scans your site once a day and alerts you to any problems it finds, and you can specify which alerts you want to receive.

Altogether, it's the most comprehensive set of security functions in a single plugin that I've yet found.

And here's why I'm so pleased that I have it installed: at least twice a day, occasionally more, I receive an alert telling me that Wordfence has blocked someone from logging in to this site because they exceeded the specified number of unsuccessful login attempts.

That means that, at least twice a day, an unauthorised individual (or more likely a bot) is attempting to log in to my site, and you can bet your entire business and house on the fact that they have malicious intentions!

If you have ever queried the need to change your login username to something long and complicated, or the need for strong passwords, let that statistic alone be a warning:

It demonstrates that the bad guys are continually looking for ways into un-protected WordPress-based websites that they can then use for their own criminal reasons.

For your own (or your website's) security, check the second half of this article. Under the heading 'How do I prevent my site from being compromised again' I've set out some straightforward steps you can take that will help to protect your site from those pesky hackers.

Important: If you're still using Login Lockdown, which is a plugin I've recommended for some time, please replace it with Wordfence as soon as you can.

Update - 18 October, 2012

I recently checked an extra check-box in the Login Protection section of the plugin. It's the 'Immediately block IP's attempting to log in with an invalid user name' option.

Whether it's coincidence or not I don't know, but I'm now getting an average of 35 blocked login attempts each day from IP's using the username 'admin' or 'Admin'.

That just illustrates how important it is to change that default username! Do so now, if you still have a user with the username 'admin'. Here's how:

Log in, create a new user with admin privileges, logout, login with your new details and check your new login works OK, delete the user 'admin', re-assign his posts and change your Nickname.


Martin Malden

Web Hosting