Using the ‘Cookie Based Brute Force Login Attack’ Prevention Feature

A Brute Force Login Attack is one way in which a hacker tries to gain entry. This is when the attacker will keep on trying to guess the password for a WordPress account, all the while assuming that they know the username. This can be done manually or with a script.

A Firewall feature that involves user accounts, that is considered “Intermediate” and adds another 20 points to the Security Strength Meter, is the ‘Cookie-Based Brute Force Login Prevention’ feature.

While repeated failed attempts at guessing a WordPress username and password combination could get an IP Address locked out, it also takes up valuable server resources. Especially when there are repeated attempts concurrently (from malicious automated robots), this has a negative impact on the server’s memory and performance.

There are new additions to the .htaccess file when implementing this feature. Basically what it does is hide the default WordPress login page from the public. If they cannot access the login page, they cannot login.

The way it works essentially is: you specify a “secret word” to the plugin, which creates a special URL. The special (secret) URL, when visited, deposits a cookie on the computer which, when present, allows that individual to visit the WordPress login page as usual. Without knowledge of the special URL (i.e. having the cookie), the user will be redirected to a different IP Address or URL that you configure. This could be to any site on the web but the default is http://127.0.0.1 which represents the local machine of the web site visitor.

Don’t worry, if there are password protected posts or pages on the site, there is a provision in place that prevents visitors needing access to that content from needing to know the special URL. Turning this on however, could provide a new backdoor to the login page for those that know the location of these pages (most often it won’t be hackers though). Only turn on this feature when necessary, none the less.

Steps for Setting up the Cookie Based Brute Force Login Attack Feature

Below are the quick steps for implementing the cookie based brute force login attack prevention feature for WordPress.

1. Of course, get the plugin installed in whatever way you normally do so.
2. Go to WP Security >> Firewall >> Brute Force Prevention once the plugin in installed and activated.
3. Scroll to the bottom of the page to do a quick cookie test to make certain that this feature will in fact work for you on the machine that you are using. Click the Perform Cookie Test button.
4. Next, put a check-mark in the box to Enable Brute Force Attack Prevention.
5. Create a Secret Word which will be used for the secret URL, which in turn creates the cookie that authorizes access to WordPress login URL when visited.
6. You are probably done at this point and you can save your changes. Optionally modify the Re-direct URL if you want to be clever. And if your site does in fact have password protected posts or pages, check the option for My Site Has Posts Or Pages Which Are Password Protected.

After saving your settings, make note of the secret URL (in your mind preferred) and you are in business.

What if Something Goes Wrong When I Use this Feature?

Simply restore your htaccess file.