The only plugin with 100% brute force protection that doesn't lock out genuine users.
The only plugin with 100% brute force protection that doesn’t lock out genuine users.
This security plugin implements an approach used by large websites such as Facebook, Google etc.
When a genuine user makes a successful login to their account using their mobile phone, tablet, or computer GuardGiant starts treating their device as Trusted.
GuardGiant uses a range of strong counter-measures to limit login attempts from unrecognized devices. The default behaviour is:
All behavior is fully customizable to achieve the level of brute force protection that you require.
A fully featured security log gives you visibility to login attempts on your site.
This login history log should form an essential part of your brute force login protection plan. GDPR compliant.
This security plugin implements various improvements recommended by the Open Web Application Security Project® (OWASP) to keep your site safe:
This security plugin is exceptionally easy to use no matter what your level of technical expertise.
The default settings are highly optimized, designed to prevent brute force attacks whilst not disturbing genuine users from logging in. Advanced users can fully customize the behavior of this plugin to suit their own environment.
The most common threat that WordPress site owners face is a password guessing attack known as a brute force attack.
A brute force attack is where an attacker uses a brute force tool (or script) to discover your password by systematically trying every possible combination of letters, numbers, and symbols until the correct password is found. A brute force attack will always work eventually, but the problem for the brute force attacker is that it may take many years to do it.
Brute force prevention techniques focus on slowing down these attacks to the point where they become unviable.
Using long and complex passwords (that are not dictionary words) is a good brute force attack prevention method to start with. This greatly increases the time an attacker will need.
A common way to stop brute force attacks is to lock out the WordPress account after a defined number of failed authorization attempts (there are various brute force plugins that do this).
The problem with this approach is that the site administrator ends up with unhappy users who have been locked out, often needing manual intervention to regain access. This is not sustainable or desirable for sites of any size.
The modern approach to brute force prevention is to track the devices that genuine users use to log in, ensuring they are always treated kindly if they forget their password. Unrecognized devices face a progressive but temporary timed lockout.
Periodic monitoring of your security audit log can help you stop brute force attacks.
Here are patterns that indicate a brute force attack or some other account abuse:
How to install the GuardGiant brute force protection plugin
Using the WordPress dashboard
Uploading files via the WordPress Dashboard
First, download the GuardGiant brute force prevention plugin file to your computer.
Recent login activity in the security log showing brute force login protection.
Login screen when reCaptcha has been deployed. WordPress login brute force protection.
New device sign in email. Brute force attack prevention by notifying the user that their account could be compromised.
Main guard giant settings page. A WordPress security plugin.
This plugin is exceptionally easy to use no matter what your level of technical experience. The default settings are highly optimized to limit login attempts and prevent brute force attacks, whilst not disturbing genuine users from logging on.
For advanced users, you can fully customize the behavior of the plugin to ensure it works best for your application.
Yes.
Load balancers and CDNs are known as reverse proxies. Due to the nature of these services, all visits to your website are logged with the IP address of the proxy rather than the visitor’s actual IP address. To remedy this, the visitor’s IP address is provided in a ‘header field’ which GuardGiant will pick up and use.
Hackers want to gain access to your website for various reasons:
It is not uncommon for popular WordPress websites to receive hundreds or even thousands of attacks every day.
These attacks can seriousy damage your reputation if they are allowed to succeed.
By using the guardgiant security plugin, these bruteforce attacks will be met with extremely strong counter-measures
to ensure the security of your WordPress website.
The security audit log provides relevant information from the past 30 days.
You can filter security log entries by:
Time period for all log entries you wish to see.
Whether the users device was trusted or not.
The type of security event you wish to see:
Search log entries by IP address.
Search log entries by username.
The time and date of each security event is shown along with username, IP address, IP location, Device type and outcome/message.
Login to the WordPress dashboard and select GuardGiant from the left hand menu.
The Prevent Brute Force Attacks tab is shown. You can choose to:
For bruteforce attacks from specific IP addresses you can:
The XML-RPC (XML Remote Procedure Call) functionality in WordPress has become a backdoor for hackers trying to exploit a WordPress installation.
It allows your site to be updated with a single command triggered remotely.
It is recommended to disable this feature to reduce the attack surface of your site.
Google reCaptcha provides a barrier that helps to stop brute force attacks. However, the user experience is somewhat worsened by asking to select traffic lights every time they log in.
The beauty of this security plugin is that google reCaptcha is only to deployed to specific IP addresses and only after a user defined number of failed login attempts.
This is another way that GuardGiant implements brute force protection without disturbing genuine users.
Yes, GuardGiant supports IP address whitelists. For instance, you can whitelist the IP address of your office to ensure you always have access.
Caution is urged when using whitelists as they can provide an attack vector for brute force hackers.
Yes, you can whitelist individual users so that their accounts are never locked out.
Caution is urged when using whitelists as they can provide an attack vector for brute force hackers.
By default, WordPress login error messages indicate whether a valid username has been entered.
Attackers can use this functionality to harvest a list of usernames that are then used as part of a brute force attack.
Modern security implementations now recommend a generic ‘incorrect username/password’.
This security plugin implements obfuscation of login errors.
By default, WordPress does not track or limit the number of failed login attempts that can be made.
Without a security plugin or means to prevent brute force attacks, an attacker can try many thousands of login attempts in rapid succession to try to gain access.
It is important to note that the legacy approach of simply locking out users after a number of failed attempts is a poor solution that causes user frustration and can easily be exploited in a DDOS attack.
This security plugin implements modern best practice by tracking the devices that users log on with to ensure real users are never impacted.