We’re not doing this every week; only some… but this week’s “plugin of the week” is BruteProtect.
BruteProtect adds brute-force login protection (i.e. password guessing protection) to your WordPress website – with a particular twist. Most brute-force login protection plugins can only protect your site against the same attacker trying again, and again. This doesn’t work so well with many of today’s attacks, where different attackers (that is to say, different IP addresses) try just a few times each. The may not try more than 3 times each – and then never be seen again. So, blocking them achieves nothing.
BruteProtect adds the power of the network to this problem – every site that has BruteProtect installed will benefit from the knowledge of every other site. BruteProtect’s servers are informed when a failed login happens, and the IP address is noted. In this way, a list of known bad IP addresses is collected – and login attempts from these IP addresses ban be blocked on your site too.
BruteProtect is one of those “install and forget” plugins – it just does its job. It’s been well-maintained, has had decent support, has a 4.8 star rating, and looks to have a secure future, having been acquired by Automattic recently – who have pledged to keep the service free (running the servers costs money, of course). The 2.0 release added further features for keeping your plugins and themes up to date – but we’ve not yet looked at these. Apparently in future, BruteProtect will be merged into Automattic’s swiss-army-knife JetPack plugin. I’m not a big fan of JetPack – I like my plugins to do one thing, and to do it well. But that’s a matter of taste – and it’s possible that someone will maintain a stand-alone version of the plugin in future, if and when the big Jetpack merge does happen.
Brute-force login attacks are an entirely theoretical issue – right up until someone breaks into your website, and defaces or deletes it. (We’re glad you’ve got good backups, ahem!). With a plugin like BruteProtect, they should for the larger part be able to stay that way – not actual, but theoretical. It’s not a complete security solution, and does not aim to be – but it’s a handy part of a solution. Once again, here’s its wordpress.org plugin page: https://wordpress.org/plugins/bruteprotect/
David Anderson (founder, lead developer, UpdraftPlus)