Is this sufficient plugin to prevent brute force attacks?

https://wordpress.org/plugins/limit-login-attempts/ seems basic,but it would block an unsuccessful attempts for any defined period of times.

 

Its good but not sufficient

 

can you elaborate on your answer?

 

"This plugin hasn't been updated in over 2 years". This can be a problem. I have good experience with "ithemes security".

 

But why plugin's age can play a role when it's working fine. It's very simple: You try to log in and fail, you get banned for a period of time. Simple, yet effective.

 

In general, old (not updated) plugins might present a way in to the system, due to bad security, vulnerabilities not been fixed, etc.

 

You should consider a WAF with latest rule sets. Examples are: mod_security or CloudFlare WAF. A WAF would mitigate a whole lot of vulnerabilities including SQL injections.

 

It definitely not enough.
I use Wp security for changing my admin username, changing the login web adress, bots protectors, captchas and many other security measures in addition to ban failed login attempts.

That plugin was not enough. Just install wp security don't change nothing and check out "failed login attempts". You will be shocked, trust me

 

Use iThemes Security It notifies you about bad login attempts as well

 

or "Wordfence Security" plugin. I tried both and like WS better.

 

To avoid Brute force attack , do not use "limit-login-attempts" plugin, simply disable wp-admin publicly and enable it for your local machine only using .htaccess rule, so that you can only access it.

 

That would entice having a static IP for your broadband-connection - very few user's have this available, and balk at paying more to have it. Limiting login-attempts is an okay way of limiting the possibility of people brute-forcing, but if the attacker has access to a dynamic proxy, it can hop between IP-addresses frequently and avoid the block - I haven't looked into the plugin, so I dunno if it stores the faulty attempts for a period or not, but if it doesn't, then one could simply jump between two IP-adresses and avoid the block alltogether.

 

No its not enough on its own. That plugin can easily be bypassed if you know what you are doing.
Better off installing ithemes or wordfence security plugin. Has lot more lockdown options than that 1 plugin alone has.

 

This comparison of Better WP Security vs Wordfence Security could be useful in making decisions:
http://www.reginaldchan.net/better-...ty-the-battle-best-wordpress-security-plugin/

 

The drawback of Wordfence plugin is that it increases page loading time by almost 100ms. I checked with P3 (Plugin Performance Profiler) and it shows only 40-50ms but when test with webpagetest.org I consistently see extra delays around 100ms.

Can anybody share their observations/numbers on Better WP Security?

 

Whatever security plugin you use just MAKE SURE TO RENAME ADMIN account!

Yesterday night I decided to enable option Wordfence "Alert when someone is locked out from login" on one of my less important low traffic blogs. I was surprised to receive 35 emails - 35 people tried to hack the blog using "admin" ID.

Here is what you get in email from WF:
A user with IP address 78.7.54.54 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username 'admin' to try to sign in.
User IP: 78.7.54.54
User hostname: 78-7-54-54-static.albacom.net

I certainly didn't expect 35 hack attempts in 12 hours for some small unknown blog...

 

100ms extra load time pr page is... not really a big issue, unless it compounds on multiple users at the same time.

 

Well, I set the plugin to log failed attempts and ban those IP's for 24 hours on **any** log-in attempts(lol, I had to write the pass down to make sure it doesn't happen to me). I am still getting a lot of hits on wp-admin(1000s,but over the course of 1 week, I only had 40 failed attempts. Not as much as I thought I'd have.
All attempts are for "admin". I have it renamed to a much much complicated username so I can't see them hacking the website in this way in a near 100 years...

 

Thats the best method

I did the same thing for my site. I renamed admin's user name and password to something impossible. Which I dont remember, i created an admin account for myself but still if my account is hacked, i have super admins account safe.

Set the lockout time for the ip for 24 hours. I had some people attacking my website, soo many people actually. Set ip to lockout 24 hours if more than 3-5 login attempts and immediate lockout if username is admin

Just register a fake account with admin username with subscriber permission.

Use iThemes Security, it has all the options you need.

 

That's an interesting way of doing it. How can we go about implementing this method?