7 plugins WordPress to combat attacks by force brute [Quick Guide]

3:42 pm January 9, 201715022

a brute-force attack is a simple method that uses many attempts to connect to the administration of a web site (username + password) until you get to enter.

This kind of attack is not only unique to WordPress, but the popularity of this CMS made him one of the most popular targets! By default, WordPress offers an unlimited number of connection attempt, in this article, we will see what are the effective plugins to limit the number of tests and thus to combat attacks by force brute…

Plugin Limit Login Attempts

this plugin is designed to combat the brute-force attacks by limiting the number of connection attempt and adding a Captcha verification.

Limit Login Setting

Once you have installed and activated WP Limit Login Attempts , you can find it at tab settings > WP Limit Login.  However, you will soon realize that the default values can be changed… Too bad! Therefore, your site will be blocked only 10 minutes from 5 3 and/or failed login attempts Captcha. If you want to change these values, it will go to the pro ($19) version.

Plugin Loginizer Security

Loginizer Security is a fairly comprehensive WordPress plugin that will help you to fight against brute force attacks by blocking the connection for an IP address which would have achieved the maximum threshold of attempts allowed. Once installed and active, go to the tab Loginizer Security > Brute Force that will easily allow you to set the number of attempts to connect, the blocking period and blacklist/whitelister the IP addresses of your choice. It is also in this tab you will find the list of connection errors on your site.

Loginizer Settings

It offers, in its premium version , other features such as Two Factor Auth, reCAPTCHA, PasswordLess, Rename Login Page etc… to improve the security of your site. For more information about Loginizer Security , you can read the official documentation .

Plugin Login Lockdown

the plugin Login LockDown is very easy to use. Once installed and activated, you will find its settings in the settings tab > Login LockDown .

Login Lockdown Setting

In the tab “ Settings ” you can set the number of failed connection attempts, the blocking time, the possibility of triggering a block if the user name does not exist and that to hide the default error message sent by WordPress. In the tab “ Activity ” you will find the list of connection attempts that failed. 

Jetpack Force Brute

Jetpack is a multifunction plugin that actually offers some security options including the fight against brute-force attacks (it also offers many other features, more I give you appointment here ).

Jetpack - activer force brute

To benefit from this feature, it will first install and activate the plugin, then you need to connect to your WordPress.com account. After that, you can go to the JetPack tab > settings > Security then position the button “ Protect ” on IT.

Jetpack Whitelisting

Now your site is protected against brute-force attacks. You can make a list of allowed sites (the white list) allowing you to not be “banned” from your own site! You can specify your IP address for your administration and always tab JetPack > settings > Security > Protect or from your WordPress.com account to the My Site tab > Settings > Security > Withelist. to learn more about the proposed security by JetPack, see the official guide .

Plugin iThemes Security

iThemes Security is a real Swiss knife for the protection of your WordPress site, and this, since its free version! Among its many features such as the detection of errors 404, the absent mode, blacklist, detection of change of file etc… There is of course the protection against the brute-force attacks .

iThemes Security - Settings

Once you’ve installed and activated the plugin, you must go to the Security tab > Settings > Brute Force Protect Local . A popup will open to allow you to set up this feature:

  • the maximum number of attempts by host (this is the IP address that is being targeted)
  • the maximum number of attempts by user (this is the user name that is the target)
  • the blocking period before you can retry the connection
  • the possibility to immediately ban trials in connection with the “Admin” user name

to learn more about iTheme Security, read this article dedicated to him .

Plugin Cerber Security

Cerber Security is a plugin of security available in french (partially). Once you have installed and activated, you can begin its setting from the tab settings > WP Cerber .

Cerber Security - Settings

You will then see several tabs that is very useful for the protection of your WordPress site:

  • General settings: this is where you can set the maximum number of login attempts, the duration of the block, the option “aggressive blocking”, the creation of a custom login page (customized URL), mode Citadel etc…
  • Access list: Here you can “whitelister” or “blacklist” certain IP addresses.
  • Activity: you will find the latest activities
  • blockages: list IP addresses blocked
  • Hardening: a few additional options
  • user: you can block certain users simply stating their “username”
  • reCaptcha: Here you can connect your reCaptcha API Key
  • tools: a few additional options

as iThemes Security Cerber Security is very comprehensive. If you want to know more, I give you appointment on the official website .

WPS Hide Login

WPS Hide Login is a very simple plugin to set up and yet highly effective… Indeed, if all previous extensions are binding, it is then made for you!  Developed by the team of WPServeur , WPS Hide Login is doing its job and is very effective.

WPS Hide Login Setting

Once you’ve installed and activated the plugin, it will go in the settings tab > General . Here, a small section appeared with a field to fill in. It is simply the end of the URL to connect to your WordPress administration. Change the word “login” by any other Word then save.

From now on, address http://www.mon-site.com/wp-admin/ (or wp-login) won’t work anymore. to connect it will go to http://www.mon-site.com/mon-nouveau-mot/ . And malicious robots, they will only have to continue their way since they will only find an error message!

in conclusion…

As prevention is better that cure, it would be a shame to ignore the solutions that exist to protect its site especially when they are fairly simple to implement!

However, brute force attacks is not the only methods to corrupt a site, I advise you read this article dedicated to the security of WordPress .