Skip to content Skip to main navigation Skip to footer

Brute Force Attack Protection

What is a Brute Force Attack?

You know that moment when you’re standing in front of your door, trying every key on your key ring before finally finding the right one that opens the door? A Brute Force Attack is the cyberattack equivalent of that.

A brute force attack is an activity which involves repetitive, successive attempts using various password combinations to break into a website.

The most common type of brute force attack is password guessing. Hackers try different combinations of usernames and passwords, again and again, until eventually finding the one that works and getting in.

By default, WordPress allows an unlimited number of login attempts – and hackers take advantage of this vulnerability through brute force attacks.

When running their attacks, hackers use bots or automated tools to keep guessing your login information, basically letting computers do the work for them. It’s one of the reasons why these types of attacks are extremely common.

A brute force attack is dangerous because it can slow down your website and make it inaccessible. What’s more, a successful brute force attack can give hackers access to your site’s admin area, which means they can can install malware on your site, steal sensitive user information, and delete everything on your site.

Which Websites Are Targeted by Hackers?

When it comes to brute force attacks, popular CMS platforms (e.g. WordPress, Joomla, etc.) are often targeted. Brute force attacks are also deployed against common services, such as FTP and SSH.  

Statistics show that, in recent years, WordPress has been the most affected Content Management System (CMS).

Most brute force attacks work by targeting a website (in most cases: the login page and xmlrpc file).

Typically, every common ID (e.g. “admin”) has a password. All hackers need to do is guess the password based on words in a dictionary.

Hide My WP Ghost provides several features to ensure stronger protection against Brute Force Attacks for your site.

Activate Brute Force Protection

To activate Brute Force protection, switch on Hide My WP > Brute Force > Brute Force Settings > Use Brute Force Protection

You can also Activate Brute Force Protection from the Hide My WP > Brute Force > Blocked IPs Report section by first clicking on the Activate Brute Force Protection button (shown below) and then switching on Hide My WP > Brute Force > Brute Force Settings > Use Brute Force Protection

The Activate Brute Force Protection option also works for WooCommerce sites. If you have WooCommerce installed on your WordPress site, Hide My WP Ghost will automatically detect it, in which case you will see the following:

Activate Bruce Force protection for WooCommerce login forms by switching on: Hide My WP > Brute Force > Brute Force Settings > Add WooCommerce Login Protection.

There are three main Brute Force Protection options available in Hide My WP Ghost:

  1. Math reCAPTCHA Protection
  2. Google reCAPTCHA v2. Protection
  3. Google reCAPTCHA v3. Protection

Using these options helps keep malicious software from engaging in abusive activities on your site – without creating friction for legitimate users. Legitimate users will still be able to login, view pages and make purchases, while fake users and spam traffic will be blocked.

👋You must switch on: Hide My WP > Brute Force > Brute Force Settings > Use Brute Force Protection in order for these options to become visible.

Here’s what each one of these options helps you achieve and how to activate them using Hide My WP Ghost.

Activate Math reCAPTCHA Protection

By activating this CAPTCHA, Hide My WP Ghost will display a widget requesting users to solve a mathematical problem when attempting to log in to your site (in order to prove they are human).

To activate Math reCAPTCHA Protection, got to Hide My WP > Brute Force > Brute Force Settings and select Math reCAPTCHA (as shown in the screenshot below)

You can also customize the Math reCAPTCHA widget and limit the number of failed login attempts a user can perform before he/she is temporarily locked.

The ban duration and the lockout message the user will see on the login page instead of the login form after their IP has been blocked can be customized as well.

By DEFAULT:

  • the maximum number of failed login attempts is set to: 5
  • the ban duration is set to: one hour
  • the Lockout Message that will show instead of the login form is: Your IP has been flagged for potential security violations. Please try again in a little while.

Activate Google reCAPTCHA V2 Protection

By activating this CAPTCHA, Hide My WP Ghost will display the Google reCAPTCHA V2 widget to validate requests with the “I’m not a robot” Checkbox. This will either pass the user right away (with No CAPTCHA) or challenge them to validate whether or not they are human.

To activate Google reCAPTCHA V2 Protection, got to Hide My WP > Brute Force > Brute Force Settings and select Google reCAPTCHA V2 (as shown in the screenshot below)

Here you will see the same default options that were also available in the Math reCAPTCHA, namely:

  • the maximum number of failed login attempts is set to: 5
  • the ban duration is set to: one hour
  • the Lockout Message that will show instead of the login form is: Your IP has been flagged for potential security violations. Please try again in a little while.

^^ Again, you can customize these settings as you like.

For the Google reCAPTCHA V2, Hide My WP Ghost also shows the Google reCAPTCHA V2 settings that you can use to:

  • Enter the Site Key and Secret Key

To get an API key to use reCAPTCHA, you need to register your website at – https://www.google.com/recaptcha/admin. After your domain is registered, Google provides reCAPTCHA keys.

  • Select the reCaptcha theme.

This allows you to customize the color theme of the widget, and you can choose either a Light Theme or a Dark Theme.

  • Select the language.

This allows you to specify the language for the widget; auto-detects the user’s language based on site’s language if unspecified.

To register a new reCAPTCHA V2 at Google:

Step 1: Go to https://www.google.com/recaptcha/admin#list and click to create a new reCAPTCHA.

Step 2: Enter a new Label name. Use a label of your own choice, so that it will be easy for you to identify the site in the future.

Step 3: Select the reCAPTCHA v2 and the “I’m not a robot” Checkbox. The “I’m not a robot” Checkbox requires the user to click a checkbox indicating the user is not a robot.

Step 4: Enter the domain name on which you want to use the reCAPTCHA, read and accept the terms, and click on the Submit button.

Step 5: On the next page, you will see the Site Key and the Secret Key that you need to copy into Hide My WP Ghost settings.

The Site Key is used to render the reCAPTCHA on your site or mobile application, and the Secret Key is used for server-side validation (authorizes communication between your application backend and the reCAPTCHA server to verify the user’s response). Both keys are unique to the domain for which they are registered.

Step 6: Copy/Paste the reCAPTCHA keys into the dedicated fields in Hide My WP Ghost, and make sure to Save the settings.

Once you add the keys and save the settings, a Login test button will appear under the reCAPTCHA settings. (as shown in the screenshot below)

hide my wp recaptcha login test

Final step is to: Click on the reCAPTCHA Test button and check if the login process works properly before you logout from your website.

Activate Google reCAPTCHA V3 Protection

The reCAPTCHA “I’m not a robot” Checkbox is very useful for fighting against spammers, but its one-time verification doesn’t fit every use case. With Hide My WP Ghost, you also have the option to add Google reCAPTCHA V3 protection for your site.

reCAPTCHA v3 returns a spam score for each request without user friction (the scores will be visible within your Google reCAPTCHA account). The score is based on interactions with your site and enables you to take appropriate actions in the context of your site.

You can learn more about how Google reCAPTCHA V3 works here.

To activate Google reCAPTCHA v3 Protection, got to Hide My WP > Brute Force > Brute Force Settings and select Google reCAPTCHA V3 (as shown in the screenshot below)

To register a new reCAPTCHA V3 at Google:

Step 1: Go to https://www.google.com/recaptcha/admin#list and click to create a new reCAPTCHA.

Step 2: Enter a new Label name. Use a label of your own choice, so that it will be easy for you to identify the site in the future.

Step 3: Select the reCAPTCHA v3 as the reCAPTCHA type.

Step 4: Enter the domain name on which you want to use reCAPTCHA, read and accept the terms, and click on the Submit button.

Step 5: On the next page, you will see the Site Key and the Secret Key that you need to copy into Hide My WP Ghost settings.

The Site Key is used to render the reCAPTCHA on your site or mobile application, and the Secret Key is used for server-side validation (authorizes communication between your application backend and the reCAPTCHA server to verify the user’s response). Both keys are unique to the domain for which they are registered.

Step 6: Copy/Paste the reCAPTCHA keys into the dedicated fields in Hide My WP Ghost, and make sure to Save the settings.

Once you add the keys and save the settings, a Login test button will appear under the reCAPTCHA settings. (as shown in the screenshot below)

hide my wp recaptcha login test

Final step is to: Click on the reCAPTCHA Test button and check if the login process works properly before you logout from your website.

Customization options available for Google reCAPTCHA v3: maximum fail attempts (allows you to set the number of times a user can fail to login before being temporarily blocked), ban duration (how long should the user be blocked from attempting to login again), lockout message (customize the message that will show instead of the login form for blocked users).

By DEFAULT:

  • the maximum number of failed login attempts is set to: 5
  • the ban duration is set to: one hour
  • the Lockout Message that will show instead of the login form is: Your IP has been flagged for potential security violations. Please try again in a little while.

Ban an IP address or multiple IP addresses

This feature can be used to permanently ban an IP address or multiple IP addresses from your login page.

You can enter an IP address range like 192.168.0.*, 192.168.*.* or even 192.*.*.* if you want to block an entire IP class.

Whitelist an IP address or multiple IP addresses

If you want to prevent your IP address or your team’s IP address from being blocked in case you have multiple failed login attempts, simply add those IPs in the whitelist list.

You can enter an IP address range like 192.168.0.*, 192.168.*.* or even 192.*.*.* if you want to whitelist an entire IP class.

Ban IP address

Hide My WP Ghost only blocks IP addresses from accessing the login page – NOT the entire website.

Blocked IPs Report

All Blocked IPs will show in Hide My WP > Brute Force > Blocked IPs Report. For every blocked IP, Hide My WP Ghost shows you the following information.

  • IP
  • Number of failed attempts to login
  • Hostname

You can use the Unlock ALL button to unlock all blocked IPs. There’s also the option to unlock IPs individually using the Unlock button that shows in the Options column for every IP in the report.

June 6, 2019

Related Articles