After the recent global distributed botnet attack on WordPress installations that took down servers and broke into admin accounts, I thought I’d write a plugin to prevent it happening again.
Distributed botnet attacks can come from multiple IP addresses and locations at the same time, so conventional IP-based lockouts are not effective (e.g. those found in Wordfence and other WordPress security plugins).
For example, if 1,000 different computers (with unique IP addresses) are trying to brute-force your admin password and you lock out each IP address after 5 incorrect attempts then you have still allowed 5,000 attempts. My plugin essentially ignores the different IP addresses and locks out all admin login attempts in a configurable way – so if you have it set to 5 failed attempts (default) then those 1,000 different computers will only have a total between them of 5 attempts.
You can select how many login failures causes the lockout, how much time to allow between failures, how long to block logins for and also you can input a whitelisted IP address (or multiple addresses separated with commas or spaces) which can bypass the lockdown and always log in – so you can still always get into your site even in the middle of an attack. Version 1.1 adds support for partial IP address matching for those with dynamic IP addresses.
- Any failed login is counted regardless of username or IP address (unless whitelisted)
- Once locked down, nobody can log in except from whitelisted IP addresses
- You can specify the number of login failures that triggers a lockdown
- You can specify the time between failed attempts that should be counted
- You can specify how long the lockdown should last
- You can add whitelisted IP addresses that bypass the lockdown
- Partial IP address matching for dynamically-allocated IP addresses
- Multisite compatible
- Now available in French, German, Italian and Russian