Brute Force Protection
Protect your WordPress sites against brute force attacks.
Stay safe with automatic login limiting, CAPTCHA, two-factor authentication, and smart IP blocking.
Brute Force Protection
Brute force attacks are one of the most common attack types targeting WordPress sites. Attackers try to gain unauthorized access by testing thousands of username and password combinations against entry points like wp-login.php and xmlrpc.php. These attacks pose both a security risk and consume your server resources, slowing down your site. With Birtıkta's brute force protection, you can shield your sites with multi-layered security against these attacks.
Protection Layers
-
Login Attempt Limiting: Set the maximum number of login attempts allowed within a specific time period. When the limit is exceeded, the IP address is automatically blocked temporarily or permanently.
-
Smart IP Blocking: IP addresses showing suspicious behavior are automatically detected and blocked. Continuously updated blacklist protection is provided through known attack IP databases.
-
CAPTCHA Protection: Add CAPTCHA to the login page to block bot attacks. Human users can log in easily while automated attack tools are stopped.
-
Two-Factor Authentication (2FA): Add a second verification layer beyond username and password. Even if your password is compromised, your account stays safe.
-
Login URL Change: Replace the default wp-login.php address with a custom URL, making it harder for attackers to find your login page.
Real-Time Monitoring
-
Live Attack Tracking: Monitor login attempts to your site in real time. Instantly see which IP addresses are making attempts and with which usernames.
-
Attack Reports: Track your site's security status with daily, weekly, and monthly attack reports. Blocked attack counts, top attacking IP addresses, and attack trends are reported.
-
Instant Notifications: Receive email and mobile notifications when heavy attacks are detected or when a successful login occurs.
xmlrpc.php Protection
WordPress's xmlrpc.php file is a frequently used entry point for brute force attacks. With Birtıkta, you can completely block attacks through xmlrpc.php or allow access only to trusted applications. This way, you can continue using services like the mobile app and Jetpack while stopping attacks.
Frequently Asked Questions
Does brute force protection affect my site's speed?
+
Quite the opposite — brute force protection improves your site's speed. Attack requests are blocked before reaching your server, so your server resources are reserved for real visitors.
Is two-factor authentication mandatory?
+
No, two-factor authentication is optional. However, we strongly recommend enabling it especially for administrator accounts. Google Authenticator and SMS verification are supported.
Can my own IP address get accidentally blocked?
+
With the IP whitelist feature, you can protect your own IP addresses and trusted addresses. Whitelisted IP addresses are never blocked.
Can I completely disable xmlrpc.php?
+
Yes, you can completely disable xmlrpc.php or allow access only to specific applications (like Jetpack, mobile app).
Is changing the login URL safe?
+
Yes, changing the login URL provides an additional security layer. Attackers can't find the default wp-login.php address. If you forget the new URL, you can reset it from the Birtıkta panel.
Can I apply the same protection rules to all my sites?
+
Yes, you can apply brute force protection rules to all your WordPress sites in bulk. Individual configuration per site is also possible.