All In One Security – Brute Force
Script & Screenshots
In this video I’m going to walk you through the All In One Security Brute Force Setting.
This is where you configure the Brute Force Protection.
To get here click on WP Security, then Brute Force.
The first tab is the Rename Login Page. This will change the login page URL from wp-admin to whatever you choose in this step. By doing this, bots and hackers will not be able to access your login page because they will not know the correct URL. I used to always use this feature, but I ran into one instance where the site was hacked and I could no longer log in with this plugin activated, because I had renamed this page. Even after doing a restore, I still can’t get to the login page unless I have this plugin deactivated. So be careful with this setting. More than not, it has worked fine for me, but know that it can also cause issues.
If you would like to rename your login page, in the Rename Login Page Settings box, check the box to enable it. For the Login Page URL, type in what you’d like to change the new string to be. It can be anything you want. Make it something easy for you to remember, but hard enough for someone to guess. Be sure to write it down somewhere so that you don’t forget it. If you make any changes, click the Save Settings button.
Cookie Based Brute Force Prevention. A Brute Force Attack is when a hacker tries many combinations of usernames and passwords until they succeed in guessing the right combination. This setting is similar to the previous tab. Because they are so similar, you can only have one of them enabled. It will automatically disable the other if you enable the second one.
If many automated robots try to simultaneously log into your website, it can have a negative impact on your server’s memory and performance. Enabling this feature will stop the majority of these attacks at the .htaccess level. This will provide better protection for your login page and also reduce the load on your server.
This is an Advanced setting so I recommend that you make a back-up copy of your .ht access file before proceeding. If this feature is not used correctly, you can get locked out of your site. And once again, be sure to write it down so that you don’t forget your new link.
Enable Brute Force Attack Prevention: Check this box if you want to enable the cookie login prevention.
Secret Word: Enter your secret word in the text box. This will create your new URL. I suggest choosing a word that would be difficult to guess.
Re-direct URL: This is the URL that the user will be re-directed to if they don’t have the secret URL that you create. If you leave it at the default it will take them to your home page.
The next setting is My Site Has Posts or Pages Which Are Password Protected: check this box if you are using the password protection feature for some or all of your blog posts or pages.
My Site Has a Them or Plugins Which Use AJAX: In the cases where your website has a theme or plugins that use AJAX, a few extra lines of code need to be added to your .htaccess file to prevent AJAX requests from being automatically blocked by this feature. Enabling this option will add the extra code for you.
Click on the Perform Cookie Test button before you enable this feature. It will run a test to make sure your browser cookie is working correctly so that it doesn’t lock you out. If your site passes the test, it will let you know that it passed. It will then change the button to say Save Feature Settings. Once you click on that button, it will activate your settings.
Next is the Login Captcha tab. Here you can add a captcha to the login page.
Starting with the Login Form Captcha Settings. This feature allows you to add a captcha form on the login page. Anyone who tries to login must enter the answer to a simple mathematical question. If they enter the wrong answer, the plugin will not allow them to login even if the username and password are correct.
Custom Login Form Captcha Settings. Check this if you want to insert captcha on a custom login form.
Enable Captcha On Lost Password Page: check this box if you want to insert a captcha form on the lost password page.
Click the Save Settings button to save your changes.
The Login Whitelist tab. The All In One WP Security Whitelist feature gives you the option of only allowing certain IP addresses or ranges to have access to your login page. The plugin achieves this by writing the appropriate directives to your .htaccess file.
Check the Enable IP Whitelisting box if you’d like to enable this feature. To the right of the Your Current IP Address, it will display your IP. This is so you can copy and paste it in the box below, Enter Whitelisted IP Addresses box. You can also enter a wildcard so that any IP in that range has access. Click on the More Info button to see some examples.
The only downside I see from this option is if your IP Address ever changes, you could run into issues. Make sure you make a backup of your .htaccess file. I’m assuming if your IP changes, you could edit the .htaccess file, but I don’t know that for sure. That is one reason I rarely enable this feature.
The last tab is the Honeypot Tab. This feature allows you to add a special hidden honeypot field on the login page. This will only be visible to robots. Since robots usually fill in every input field from the login form, they will submit a value for this special hidden field. If that field contains a value when it’s submitted, then that robot which is will be redirected to localhost address.
Click on the Save Settings button if you enable this option.
That’s it for this video. I’ll see you in the next one.