Shield has some of the most effective WordPress login-security protection available.
It blocks all brute force WordPress login attempts using simple, non-intrusive techniques; it also ensures that the identities of all logged-in users have been verified.
There is no other plugin available, either free or paid, that has login protection to this degree.
In this article I’ll explain how we do it, why it is works so well and the options you should enable.
What does the WordPress Login Protection feature protect against?
Broadly speaking, the WordPress Login Protection feature has 2 main components:
- User Identity Verification – i.e. you are always who you say you are
- Brute Force Login Protection – i.e. no more account hacking
We’ll outline each of these below with full details of the options available.
User Identity Verification with Multi-Factor User Authentication
As explained here, multi-factor authentication ensures that the user attempting a WordPress is verified as the legitimate user. Shield primarily uses email as the basis for this verification.
It offers 2 methods of two-factor authentication which can be used together to form multi-factor authentication.
Email-Based Two-Factor Authentication
There are two methods of email-based authentication to suit your needs depending on your type of WordPress login usage:
- IP Address -based
- Cookie -based
IP Address Based Auth.
When verified by IP address, every time a page loads the plugin will check the logged-in user against the IP address that was stored in the database at the time of verification.
This means 2 things:
- If the IP address for a verified user changes (e.g. they move to a new location, or ISP dynamically assigns a different IP) they will be immediately logged out, and must login again to WordPress and verify their identity.
- This user account may only be used to create multiple WordPress login sessions from the same network location. For example, you can login using Firefox and Chrome on the same computer, and you will only have to verify your identity once, since the IP is the same.
You should use IP Address two-factor authentication: anytime a user account is not shared among sessions in different geographic locations (i.e. use it where IP addresses don’t change often)
Cookie Based Auth.
When verified based on cookies, every time a page loads the plugin will check the logged-in username and the key found in their cookie with that stored in the database at the time of verification.
- Unlike IP-based authentication, you can login to any account from any location as many times as you want.
You should use Cookie based two-factor authentication: anytime an account needs to be shared among different users with different IP addresses. All people who use the WordPress user account must have access to the user profile’s email account to verify their identity.
Yubikey-Based Two-Factor Authentication
Yubikey is a hardware-based, two-factor authentication system. It provides a completely independent verification system that is not connected to either email addresses or user accounts of any kind.
They let you create one-time passwords (OTP) that are then verified against the Yubikey web service at the time of WordPress login.
We recommend Yubikeys as a highly effective, and cost-efficient authentication system, and have also implemented it for the iControlWP WordPress Management system.
Yubikey Unique Keys and WordPress Users
Before the Yubikey authentication can be used, you must create a Yubikey App and API key. Explanation on how to do that can be found here.
Once this is done, you can begin assigning WordPress username to the Yubikeys themselves. This done, as show in the screenshot, by comma-separating a WordPress username with the unique 12 digit Yubikey IDs.
Yubikey IDs are simply the first 12 digits of any Yubikey OTP, and you may assigned multiple Yubikey IDs to the same user simply by taking a new line and repeating the username with the alternative ID.
Brute Force Hacking Protection
Our Approach To Brute Force Login Protection Explained
In the last few years there have been a number of reports of brute force login attacks against WordPress websites. This is because the WordPress platform is now so prevalent, that building a system to attack WordPress makes much more sense if more hacking success is desired.
The Shield plugin blocks and limits brute force login attempts using 4 separate and highly effective techniques:
- two-factor authentication – there’s no way for a bot to know it’s successfully logged in if there are 2 authentication stages.
- login cool-down system – probably the most powerful system for brute force login prevention. It works by completely blocking login to a site until a given number seconds have passed since the previous attempt.
- remote login prevention – ensures that logging into a site is done from the actual website login page/form, and not posted from a remote server.
Except for two-factor authentication, you’ll find none of these approaches uses the database to store IP address lists for blocking. IP addresses don’t matter and should not be used as the foundation of a WordPress security policy.
Read that again, because you’re probably so conditioned to think of IP blocking etc. that you believe this without even thinking about it.
Furthermore, if your website is being attacked by a distributed (meaning thousands of IP addresses) system of bots, blocking login attempts based on IP address is utterly futile, and only adds load to your server because of all the database writing and look-ups.
With Shield development, we took a step back, thought about the nature of the most recent attacks on WordPress. We discovered that IP addresses are not a sound foundation upon which protection should be designed.
That said however, we do use the connecting address as the basis for identifying verified users. But this is completely different since their IP address isn’t used to block, but rather accept and match a user session to a verified identity.
There are 3 options available dedicated to preventing brute force hacking the login on your WordPress sites, and we recommend you enable all of them unless for whatever reason they interfere with how you use your site.
Option: WordPress Login Cool Down
This feature alone should be enough to block all brute force login attempts.
The value you decide on here represents the time, in seconds, that WordPress will be forced to wait before processing any other login attempt after the previous attempt.
Without a cool-down feature, bots connecting from anywhere can try and authenticate with your site as much and as often as they can. Let’s take an example…
Say a bot tries 10 times a second without overloading your server:
- In 1 minute, that’s 600 attempts.
- In 1 hour, that’s 36000 attempts.
- In 1 day, that’s 864000.
- It takes 1.15 days to make a million requests to your site at that rate.
Instead, if you put a minimum of 5 seconds between login attempts, it would take nearly 60 days to perform a million requests. Way better! And it gets better the longer you make your cool-down period.
And, it doesn’t use the database to store attempts and counts etc., or care about IP addresses, or anything like that. It’s very efficient!
Option: Login GASP Protection
It was coined the G.A.S.P. comment protection. We have adapted this feature and improved its resiliency against spambots and use this in our comments filtering feature.
But, we thought, why not add exactly the same protection to the WordPress login form? It was highly-effective with comments, why not with logins?
So we did.
When enabled, it will add a checkbox to the WordPress login form that requires users to click it (see screenshot)
Option: Prevent Remote Login
To log into your WordPress site normally you to go your site’s
wp-login.php page, right?
Well, you don’t actually need to. You can create an HTML file with a form that contains all the right elements, save it to your desktop computer and use that to login.
The point being, you don’t need to browse to your website to submit the login form.
This is how login bots work… they don’t “browse” to your site, fill in the form, and then go to your WP admin area like you do. Instead they submit the login form directly to your wp-login.php.
When you enable this option we check for the special header information that tells us where this login form is being submitted from… and if we detect that it’s not from on your site, we block the attempt.
This alone isn’t enough to prevent brute force attacks, it’s just 1 option… and this special header information can be faked. But the effect we achieve here with this option enabled is battening down the hatches, trying to find all the little ways we can detect bots, placing more responsibility on the bots to “get it right”.
Shield security offers High Grade Login Protection
As you can see from the explanation of these options, the Shield plugin offers extremely effective protection against WordPress login attacks, and provides tried and tested methods for verifying the identity of users active on the system.
We’ve chosen to take a fresh approach to solving WordPress brute force hacking attempts, rather than follow the herd and create a copy-cat security system that adds weight and load to your already burdened WordPress system.
We’re always open to feedback about new ways to improve our Login Protection and two-factor authentication options, so please leave a comment below if you have ideas or suggestions for us.