Lessons

Lesson 2 – How to Activate Brute Force Protection

In the previous lesson, you learned how to customize the common WordPress paths.

Now it’s time to learn how to protect the custom wp-login path from Brute Force attacks if you make it public for subscribers.

Note! You need to be aware that you don’t need to have just one login path. If your theme has a login path for subscribers, you can activate the theme’s security for that URL and have your own secret login path withHide My WP Ghost.

Good, now that you have set a login path in Hide My WP Ghost, it’s time to activate the Brute Force attack protection for it.

Step 1. Activate Brute Force Protection

Go to “Hide My WP > Brute Force” and switch on the feature. You will notice that the options “Math reCaptcha“, “Google reCaptcha V2” and “Google reCaptcha V3” appear. In the free version, you can only use Math Captcha, so let’s select it.

Step 2. Set the Math reCaptcha

Enter the number of failed attempts a user can have before the block message appears. The math fail attempts are not counted by the Math reCaptcha.

On every fail, the user will see the remaining number of fail attempts before the lockout occurs. If the user reaches the maximum number of fails you have set, they will not be able to access the login page for 3600 seconds (1 hour), or the number of seconds you have set in the “Ban duration” field.

You can also set the Lockout Message” to show a custom lockout message on the login page.

Step 3. Whitelist and Blacklist

This step is important when you have a static IP address and you want to prevent your IP from being banned in case you forget the password. You can also set a range of IPs you what to whitelist (192.168.0.* or 192.168.*.*) – to cover a subclass of IPs.

Also, it’s important to be able to ban an IP address or a range of IPs known to be harmful or spammers. You can add a range (e.g. 192.168.0.* or 192.168.*.*) to cover a subclass of IPs.

Step 4. Google reCaptcha V2 & Google reCaptcha V3

If you have purchased the Hide My WP Ghost version of Hide My WordPress Plugin, you can select Google reCaptcha V2 or Google reCaptcha V3 and to protect the login process using Google security.

To setup Google reCaptcha, you need to follow the link https://www.google.com/recaptcha/admin#list and create a V2 or V3 reCaptcha. Add a unique Label, select the V2 or V3 Checkbox, and add your domain to the Domains list.

Once you register the new reCaptcha domain you will be redirected to a new page where you have access to the Site Key and the Secret Key.

Copy and paste the Site and Secret keys into Hide My WP Ghost and click “Save settings”. Now you can click on the reCaptcha Test button to make sure it’s working properly and you will not be locked out from your website.

Conclusion

If you followed all the above steps, you are protected from Brute Force attacks on your login page.

Note! To increase the security, make sure you avoid usernames like “administrator” or “admin” and passwords such as “123456”, which are the first credentials the hacker bots try – it will not need a second chance to get into your website’s admin area.

Feel free to contact us with feedback and suggestions here

In the next lesson you will learn how to protect your WordPress common paths and to make sure your website is hidden from Hacker Bots.

Recent Posts

Make sure .htaccess is working with Allowoverride All

Test if .htaccess is working The simplest way to test if apache uses your .htaccess file, or if it…

3 months ago

Hide wp-admin and wp-login.php from Source Code

Hiding the wp-admin and wp-login.php paths from source code it's important especially when you use…

4 months ago

How To Change .htaccess Permission To Read Only

It is a very good idea to set read-only access to certain folders and files.…

7 months ago

Setup Hide My WP Ghost on Ploi.io Server Management

Ploi.io service is similar with RunCloud and it helps you install your WordPress websites in…

8 months ago

/upgrade.php Not Working After WordPress Auto-Upgrade.

Due to the option to hide the upgrade.php file in Hide My WP > Change…

8 months ago

WPMUDEV Server – Hide My WP Ghost Setup

Here's how to set up the Hide My WP Ghost plugin on WPMUDEV server: Configure…

8 months ago